On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:

> This is a MANDATORY upgrade for anyone not running on a very recent
> edge (which isn't affected by this). If you have a public Rails site,
> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
> do not want to be caught unpatched.
>
> The issue is in fact of such a criticality that we're not going to dig
> into the specifics. No need to arm would-be assailants.

This seems misguided to me.  One of the things that I have always 
appreaciated about the general open source environment is that when 
there is a security vulnerability it is announced.  It is described. 
And it is fixed.

The process is open, and it works because someone can go and look at 
the information about the vulnerability and learn from it, and they can 
have faith in the advice to upgrade because the vulnerability 
announcement is clear about what the exploit is and the risk from it.


Kirk Haines