Comment Re:They KNEW about this vulnerability? (Score 1) 202
There are two groups of developers here.
Ruby on Rails, the framework, had developers that knew about this general class of vulnerabilities - it's easy to write code that ends up being buggy.
GitHub, the web site (that runs on Rails, and hosts the Rails source repository), knew about the general class of vulnerabilities but not that they had these particular instances of them.
It appears that Homakov tried to get Rails to change the defaults so that these things can't happen unless you ask for them, and was rejected as making the framework more difficult for prototyping use; the opinion on the bug was something along the lines of "the developer using the framework should be protecting against this". He then demonstrated in frustration that this was a bad default, since GitHub is one of the leading sites using the framework and is developed by people generally thought of as knowing what they are doing.
It appears that this has worked and the opinion of the framework developers have changed, and no real damage was done, other than possibly reputation.
GitHub, overall, seemed to be collateral damage.
P.S. I don't think GitHub is open source; Ruby on Rails is.