A few weeks ago I read about some critical security issues that affected Rails. I’m not a Rails user; don’t really care for it (Ramaze rules), but it’s still of interest because often what’s claimed to be a problem with some specific application can in fact be caused by something more fundamental, making it a problem for other Rubyists as well.
I learned of this issue form reading Hacker News, but that seems like a poor way to get security updates. I looked around for a better source. The main Ruby web site has a page for security issues but it seems to be out of date. Some other efforts have sprung up to make security issues more readily available but they all seem to require that people actively go look for the info.
A good, canonical source of software vulnerabilities I found is the National Vulnerability Database. There are other sites (such as cve.mitre.org) but the NVD site has search.
Having to remember to go check for security issues is an unreliable way to stay informed. Better to have that information put in front of you as it occurs.
I run Ruby-doc.org, which serves up API documentation for multiple versions of Ruby and most (if not all) available gems, and it gets a fair amount of traffic. It occurred to me that it would be a really good place to display security alerts.
The NVD search results page presents the data in well-formed HTML. This made it fairly easy (modulo some corner cases) to extract the specifics of current vulnerabilities, generate a short announcement blurb, and write it to a file.
I modified the template I use on the site to include some JavaScript to do dynamic loading of this file. It updates the page DOM just below the top menu, inserting whatever is in the generated alert file. The script to generate the source file is triggered by cron, and I put in some stuff to prevent browser caching. It culls the search results for what was reported in the last 14 days; if there is noting that recent then there should not be any alert displayed.
I tried to do it in a way that is noticeable but not terribly in-your-face. I opted for 14 days as a balance between reaching a larger number of people while (I hope) not having a perpetual alert banner that people ignore.
That number of days was based on a guesstimate about how often new alerts come up. I may lower it, maybe to 10 or 7 days, to avoid alert fatigue if there are too many issues reported. Or alter the color of the banner based on the severity of the most recent alert, or color it using some aggregate severity based on what was found. Or skip listing low-severity alerts. I’ll have to see what kind of feedback I get.
The goal isn’t to reach everyone, but to reach enough people who will take notice and help spread the word when there are Ruby vulnerability issues.