Double Shot #831

Long weekend out with the Boy Scouts helping people clean up after tornadoes. Puts a lot of this software nonsense in perspective.

• wow how come I commit in master? O_o - Big kerfluffle over the weekend when this commit appeared in Rails master. The bottom line is that GitHub missed properly using Rails' tools to prevent mass-assignment bugs. Some of the fallout:
  • How-To - The hacker involved explains what he did.
  • Public Key Security Vulnerability and Mitigation - GitHub's explanation and response.
  • Ruby on Rails Security Guide - Rails has publicized how to prevent this sort of thing basically forever.
  • Responsible Disclosure - Where and how to responsibly report GitHug security issues.
  • Ruby on Rails Security Policy - Where and how to responsibly report Rails security bugs. Not that I think this was a bug in Rails, but that's how some people are spinning it.
  • Default to whitelist more for mass assignments - Rails did change to a safer default for 3.2+. Months ago.
  • Whitelist just the params you allow - Code snippet from DHH.
  • Or block it entirely - Initializer solution from John Barnette
  .
• CapybaraEmail - Test support for Action Mailer via Capybara.
• ActiveWarehouse - This ETL project for Ruby has reached version 1.0.0rc1.
• GitHub for Mac 1.2: Snow Octocat - A speed and stability release with a few new features.
• Square Register - Slick-looking iPad cash register app that works with Square's card readers.
• HTML5 & Friends - MDN's page on the subject is a good starting point if you want to see what's up with all these new web technologies.
• SourceTree - Free Git/Mercurial/Subversion client for OS X from Atlassian.
• Call yourself a 'brogrammer'? Then get the hell away from me. - John Graham-Cumming casts well-deserved scorn at the latest chauvinist stupidity in our community.