E-Scribe News : a programmer’s blog

About Me

PBX My name is Paul Bissex, and e-scribe.com is my consulting business. I build web applications using as much open source software as possible. From September to June I teach web design and other important non-photographic professional skills to photographers. In the '90s I wrote technology commentary and reviews for magazines, newspapers, and web publications, including Wired, Salon.com, FamilyPC, the late lamented Web Review, and the Chicago Tribune. Feel free to email me.

Book Project

I'm co-authoring a book, "Python Web Development with Django", with Jeff Forcier and Wesley Chun. It will be published by Prentice Hall in July 2008, but is available for pre-ordering on Amazon now.

Colophon

This site is built on a fresh trunk checkout of Django, running on Python 2.5.1, served by Apache and mod_python. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive.

Pile o'Tags

ajax apple blogs browsers business design django ebay fp fun google hardware haskell intellectual property iphone javascript linux media mobile open source os x oscon oscon2007 palm php programming python rails rants reading risks ruby site spam textmate the well tips vcs web development web frameworks webservers wmassdevs

Stuff I Use

Akismet, del.icio.us, Django, dpaste.com, Emacs, FreeBSD, Freenode, jQuery, LaunchBar, MacPorts, Markdown, Mercurial, OS X, Postfix, Python, SQLite, Subversion, TextMate, Trac, Ubuntu Linux, wmii

A Django site.
(Finally!)

Copyright 2008
by Paul Bissex
and E-Scribe New Media

Rails security hole hullabaloo

Oops So, a serious security hole in Rails was announced this week. There's a lot of bashing going on about "security through obscurity." I've always understood STO as sustained secrecy about known (or possible) vulnerabilities, which seems different from the Rails team's provisional waiting period between the initial announcement and the full disclosure. (And the patches themselves told the story, for those familiar with the source.)

Not that there weren't legitimate problems with their patch release process. They definitely made mistakes they can learn from.

In response to all this, the Django team reiterated their own security patch procedures and created an announcement list as well. There are no perfect solutions, but being clear up front is likely to cut down on whining later. Though maybe I'm just extra-sensitive to whining.

Thursday, August 10th, 2006
+ + +

Some related posts: Pastebin update: PygmentsUncovering dirt with Google code searchInternational Freedom From Stupid Software Patents DayThe twenty-minute trouble ticket systemDangerous installersRails/Django lovefest in ChicagoController freaksBig Nerd Ruby RanchDjango progressDjango, Rails, and PHP

Post a comment

Comments use Markdown syntax. Your comment will not appear until approved, which may take a few hours or more. Spammers will be torpedoed.


(Will not be shared)

(Optional)