Zed is indeed so AWESOME!

So with the whole thing of a serious ruby vulnerability hitting Slashdot earlier this week I feel that I may as well make my opinion known.  Over the past year I have been actively pushing Ruby as a solution for our Internal Systems within a large financial company.  All of this work came crashing down yesterday as our security expert brought the vulnerability to our attention.  We had a choice of 2 things which we could do:

1. Update to Ruby 1.8.6 p230
2. Leave the entire stack well alone

The whole problem I have is this.  Ruby 1.8.6 p230 does not play well with Rails whatsoever, if I upgrade, the application will break with quite a few segfaults.  This has left me with a conundrum, not upgrade to the latest and greatest patch that Ruby recommends and not have an unhappy user-base. Alternatively I could upgrade, break the system and damage the applications reputation within the company. 

So at the moment we are waiting for a new patch to come out that plays well with Rails and pray the application doesn’t break in the meantime due to malicious users.  Thankfully it is only an intranet application however that fact does not guarantee any users will be safe and not tinker with the code or system.  

The problem I have is this.  I am up to my ears in code fixes, third party apps and general firefighting in my current position.  I have not been looking at the commits within Ruby at all and don’t make a habit of doing so, which is my own fault.  Thankfully Zed Shaw has been and although he ranted quite a bit this week on this issue, he has some valid points.  If he did not comment on this serious issue it is unlikely to have made Slashdot and very unlikely not to have come to my security experts attention. 

Zed has given the community some great code, mongrel FTW and in general comes across fairly colorful in his blog and the community would be definitely less without his presence.  While some have personally attacked Zed for his style of communication he has without doubt brought attention to a very important issue. 

Ruby and Ruby on Rails has been awesome for hobbyist programmers.  It's coming on strong for the enterprise.  Although there has been great coverage about Twitters failure (None of which I blame on Ruby/Rails), it is without doubt one of the most famous platforms for Ruby on Rails.  It has heralded the arrival of the Ruby platform for enterprise systems; shouldn’t the community start to get a bit more grown up about how priority issues get handled?  Instead of hiding serious issues with the code we should be broadcasting them, brainstorming together and working for a solution.

Here's the thing, what’s the best place to be looking for these issues? Google Groups, GIT, trawl through the source or just constantly monitor the news vines.  Is there a RSS feed with specific ruby vulnerabilities of this nature that I can subscribe to?  Anyhow, at this stage I'm ranting and not being coherent so I’ll sign off on this point.  If a dedicated framework stack within an enterprise gets a massive vulnerability due to base library code and causes applications to keel over and lose the company millions (Yes, I’m talking about large scale systems), who is ultimately responsible? Is it the engineer or the community?