So, a serious security hole in Rails was announced this week. There’s a lot of bashing going on about “security through obscurity.” I’ve always understood STO as sustained secrecy about known (or possible) vulnerabilities, which seems different from the Rails team’s provisional waiting period between the initial announcement and the full disclosure. (And the patches themselves told the story, for those familiar with the source.)
Not that there weren’t legitimate problems with their patch release process. They definitely made mistakes they can learn from.
In response to all this, the Django team reiterated their own security patch procedures and created an announcement list as well. There are no perfect solutions, but being clear up front is likely to cut down on whining later. Though maybe I’m just extra-sensitive to whining.