Telling administrators “you must update this immediately” once is bad enough. But doing it twice in one day is bound to sour some folks on Rails as an enterprise development platform. At least they’ve finally opened up about the nature of the vulnerability, but their failure to do that from the outset certainly lost them a lot of points with folks in the security community.
In all, this whole “crisis” has been handled about as wrong as possible, but hopefully the Rails development folks will learn some lessons. Rails is still new enough that the team ought to be able to ride this out and hopefully they will be stronger and smarter because of it.
dan _at_ denimgroup.com