Hacker News was full of posts about a security issue relating to Github and Ruby on Rails today. The story is confusing and I’m seeing some incorrect information about it. Here is a summary of my understanding of the events. I’m not casting judgement, just trying to make an understandable summary.
1. Github user homakov believes that a Rails default setting makes it more likely for Rails developers to overlook a certain security issue. He posts an issue report on the Rails repository github page explaining his concern.
2. His concern is dismissed.
3. He posts a comment on the issue which references a github issue seemingly created in the future. This is to demonstrate that the issue he raised has lead to a security hole in Github itself (which is built using Rails), which he used to post an issue with a future timestamp.
Note that this isn’t really a security bug with Rails. Rather it is a default setting that could lead a developer to create a security hole in their app. Homokov wants to alter Rails such that it is harder to make that mistake.
4. This stunt is largely ignored.
5. He tries another stunt - making a commit to the master branch of the official Rails repository. Demonstrating that he could potentially control any repository on Github. Unauthorized users should not be allowed to commit to this repository. It is a very high-profile repository, so many eyebrows are raised as a result.
This is like going to a mall that is built of Acme brand wood, which happens to have an Acme store inside. Then telling the Acme employees that their wood has a weakness if used improperly. The employees say “well, we designed that way, it’s not our fault if someone uses it improperly”. The he does a karate chop on their wall, smashing a hole in it and says, “See? even this mall where your store is located has used the wood improperly”.