Open source is examined by thousands

Open Source Security

One of the topics we have touched on in this blog is how open source is a more secure type of software because there are so many eyes looking at it all the time. And, as security issues are discovered, they are shared with the entire community. This stands in direct contrast to proprietary software where you have a relatively small team looking at the software and testing it for vulnerabilities. In the open source community, you have thousands of people from all software disciplines constantly poking and probing the software to explore what can be done and what can’t.

In another example of how open source sharing works, I recently found this alert in my Twitter notifications:

Rails 3.2.18, 4.0.5 and 4.1.1 have been released!

Hi everyone!

Rails 3.2.18, 4.0.5 and 4.1.1 have been released!

These three releases contain important security fix, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we’ve only included commits directly related to each security issue.

The security fixes is:

The commits for 3.2.18 can be found here, the commits for 4.0.5 can be found here, and the commits for 4.1.1 can be found here.

Here are the checksums for 3.2.18:

$ shasum *3.2.18*
971d49dac1d0d2576e9bd01b9a96c393098a96c5  actionmailer-3.2.18.gem
4c99239a646f8c662559f9fc4924c20a0f29eae7  actionpack-3.2.18.gem
51f280b8c606a3c7cd503933cabff7b0c6172d1b  activemodel-3.2.18.gem
b99c31493ddaf0af4c0007b526dd5213222c2bd9  activerecord-3.2.18.gem
a9d35d1c837047ee328d0f16f420cd2c60a612c9  activeresource-3.2.18.gem
1526e35aaa02ffb526f5cda77425fecdfd449f56  activesupport-3.2.18.gem
8ad5bf5ab760112100e29d8515d7c5181f8dbae0  rails-3.2.18.gem
97e6e478dbebff9cf31c301381b8527f2a523ee5  railties-3.2.18.gem

Here are the checksums for 4.0.5:

$ shasum *4.0.5*
80be4d61b42fc532d87ba8816f521b7413a52ce2  actionmailer-4.0.5.gem
b830f763f6b621cb066002eef02f8ada4826baa2  actionpack-4.0.5.gem
b1aefc15e8b506a53975705840e0445065e14822  activemodel-4.0.5.gem
f263e52056be02628308ccb1980903f3f5fb7668  activerecord-4.0.5.gem
3fba584240a62ad0267f77abbcbd849f138f724b  activesupport-4.0.5.gem
166a8ee2064d34fefcda0a383672e83818e5961f  rails-4.0.5.gem
fefa3c5e348b05027f4181e5e6d39f14599f1724  railties-4.0.5.gem

Here are the checksums for 4.1.1:

$ shasum *4.1.1*
796ec07e257a98f31eeea38def505cbf3f1e2747  actionmailer-4.1.1.gem
25e4ad2bc143df849941ba54bb47b1d2dca55c2c  actionpack-4.1.1.gem
61a9662e06b32f29d89278105e87c230377a6dfd  actionview-4.1.1.gem
672d510e216019776b66f1e07e7faf4ac5bb21f5  activemodel-4.1.1.gem
63100443a3416cdde474cca56967bd55029ac507  activerecord-4.1.1.gem
937c7faa903e678e55536c18ee1ea9bafe08b8af  activesupport-4.1.1.gem
558547922545bf8f7c1c2d3bc845b2a66f9d826a  rails-4.1.1.gem
c5c5763e164eb9fb5e3a93fc25df436c379b0d54  railties-4.1.1.gem


This type of sharing ensures that all interested parties become aware of the fixes available, and take steps to protect their own applications. As new black hat hacker capabilities evolve, new vulnerabilities will be discovered, and the fixes will be shared in a similar manner as you see above. That makes the platform more secure, and gives us a level of comfort and confidence that our programs and applications will be fully functional well into the future.