It’s great to see that the habari guys are committed to security as well as functionality and are providing security updates for there pre-1.0 software. It is a pity to see that they don’t disclose much in there security announcements.
For me, responsible open security practises should mean that as well as providing a quick response to security issues you provide enough detail about the issue to your users to allow them to make a judgement call about how important the upgrade is to them. Do they need to do the upgrade immediately because the issue is easy to exploit or can it wait till the weekend when they have more time to ensure they have a backup and a plan for when the upgrade goes wrong.
The WordPress project tries to provide this information and we provide clear security release announcements on the development blog which is syndicated into everyones dashboard. The habari project however seems to be happy with a release announcement which basically says – “Hey, you blog is vulnerable to some critical security issue but we fixed it for you upgrade now!“.
For example in the WordPress 2.6.2 announcement we have:
Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Comparing this to the recent habari annoucement:
The Habari Community announces the release of version 0.5.2. This version is a critical security update; all users of any version prior to 0.5.2 should upgrade at once. Additionally users of HEAD should also update to the latest revision.
Thanks are due to the entire community for identifying and patching this bug in a timely manner.
This isn’t very detailed and leaves me wondering – What was the issue? How serious was it? Is the issue such a bad example of security aware development that they don’t want to highlight how wrong they got things?
Don’t get me wrong, I am please that security matters for the habari project and I know the difficulties involved in developing secure software, I just feel that you need to be open with your issues to build trust with your users.
Update: There is now a much clearer release announcement for habari v0.5.2.