New security mailing list

Posted by David August 10, 2006 @ 06:10 PM

In light of the past days of fun and games, we’ve started a new mailing list focused entirely around security. This list will be much lower volume than the main list and be exclusively about security concerns. You can signup at the rails-security mailing list page.

UPDATE: This an announce only list. So you won’t get spammed unless it matters.

21 comments

Comments

Leave a response

  1. rfunk on 10 Aug 18:23:

    So is this announce-only, or a discussion list?

    Because there really needs to be an announce-only list.

  2. evan on 10 Aug 18:48:

    Is there an RSS feed of this list? I check my RSS reader as much as I check my email and I’m sure some others are the same way.

  3. Hilmi on 10 Aug 19:05:

    You can’t see the list archives before subscribing. I think archives should be open for this list; some people may prefer reading it from web interface.

  4. Jason Hoffman on 10 Aug 20:08:

    The list archive is open now.

  5. Joe on 10 Aug 20:13:

    Be nice if there was an RSS feed that mirrored this list.

  6. Zack on 10 Aug 21:35:

    +1 on the RSS feed

  7. rick on 10 Aug 22:05:

    How about a rails-security Google Group? If you have an issue with getting a Google account, you should be able to subscribe to the atom feed.

  8. namxam on 11 Aug 01:53:

    +1 on the RSS feed

  9. Robertas Aganauskas on 11 Aug 03:26:

    +1 on the RSS feed

  10. Andre on 11 Aug 04:37:

    +1 RSS feed. RSS is how I found out about the security update the other day.

  11. Hilmi on 11 Aug 11:11:

    Here are the RSS feeds: http://groups.google.com/group/rails-security/feeds

  12. henning on 11 Aug 11:46:

    oh, really? Cool, after ignoring the security issue completely until some days ago(where was the security information for previous versions???), suddenly with media hype about security you come up with a list?

    isn’t that a bit late???

    Where’s the security information on the website? One must go down to this blog to find any information about the latest security issues. Isn’t that hiding security isssues because it doesn’t look good on the main web site?

    Maybe the rails developers come down from there “we do everything better” horse now, hopefully, and start thinking about things important for people who want to build more than hobby projects, topics like architecture(anything more than MVC) and security seem not at all to appear in any rails documentation until now, time for a change.

  13. comment censorship on 11 Aug 11:47:

    too interesting to see that you even try to control the comments people write into your blog… no critical messages allowed here???

  14. Dieter Komendera on 11 Aug 12:50:

    +1 RSS feed. Exactly as Andre I heard via RSS from the security issue.

  15. Eric Mill on 11 Aug 13:59:

    +1 RSS Feed, trendy.

  16. Daniel on 11 Aug 14:04:

    As one of those who asked for it I feel obliged: Thank you very much!

  17. DHH on 11 Aug 14:39:

    censorship, you must be new here. We moderate to get rid of spam. But how ever so ironic that you should choose to hide your own name and complain about us wanting to hide things. Heh.

    henning, huh? What security issues are you talking about? We’ve identified this issue from within the core group, came up with a fix, and shared the information under the trade-off of disclosure and amble upgrade time.

    Then we got the suggestion that people would like to see a low-volume security list for these announcements to ensure that they got the message and we obliged. Now that’s bad?

    You obviously have a chip on your shoulder and this seems to be the way to get if off. It’s okay. Let it all out, then take a deep breath. We’re here to help with whatever issues people might have. Security wise or psychologically.

  18. Jeroen on 11 Aug 16:02:

    I’ve been following these blog postings and comments for a while now and it really amazes me how some people are just so angry and scared. These two characteristics won’t make you very happy.

    But it pleases me to see that the vast, vast majority of posters respect the work people put into rails. I’m happy to be among those as well. I love working with RoR and I think it’s progressing faster and in more interesting ways than any other webapp framework.

  19. Bill on 13 Aug 17:45:

    It’s hilarious how people complain about RoR security.

    I used to learn about PHPBB security problems by finding my (or another) board hacked.

    Is RoR security perfect? No, but it’s pretty damn good.

    Stay agile.

  20. DW on 14 Aug 12:14:

    Can the links to the security mailing list and RSS feed and IRC channel info be added to this page?: http://www.rubyonrails.org/community

  21. Andreas on 27 Aug 09:09:

    “Is RoR security perfect? No, but it’s pretty damn good.”

    Compared to PHP, maybe. But security definetely isn’t a priority for the Rails team. Most of the previous problems could easily have been avoided. The handling of security issues is bad, a patch for #5716 was submitted weeks ago on both the bug tracker and the Rails-Core list, and it’s still not even in the repository.

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals