In my opinion, the first comment on the post isn't 'tribal' simply because it blindly attacks Ruby, but because it also blindly disregards the vulnerabilities in Python (which the author carefully and reasonably outlined).

Have you ever looked at the pickle docs though? There is like, literally a 'red alert' banner saying how dangerous it is in combination with arbitrary untrusted input.

PyYAML's warning is not quite so blatant (http://pyyaml.org/wiki/PyYAMLDocumentation) but when you get past installation blah blah blah onto actually loading YAML, the first thing it says (in bold) is that using .load is as dangerous as pickle.load, and it references looking as .safe_load instead.

However, it would be better for the tutorial that immediately follows to use safe_load() everywhere that it can reasonably be used and to only mention .load as an advanced topic (except to mention at first that it exists but shouldn't be used)

You're missing the "real" vulnerability here. Yaml or in general object instantiation is the attack vector - and admittedly a particularly stupid and painful one - but the real vulnerability is sharing code via unsigned repositories. There are more vectors to break into a repository server. So the more serious problem is "How do we secure code?" and "How do we establish trust for shared code?"

This issue will follow us around for quite a bit, even after the YAML bugs have been fixed and gemcutter rebuilt. For ruby that means sign gems, for python sign pip packages. And that's a point where python is not substantially better of than ruby, heck, even PHP (packagist), node (npm) and java (Maven) are in the same boat here. There's something more to learn here than pointing out that "the pickle docs are better than the psych docs" and for all the pain this incident brought the ruby developers, I'd be grateful if all other language communities learned from it - but if you rather prefer leaning back in your chair and pointing out your your communities docs state the danger clearly[1], then you're welcome. This is exactly the trap that the first commenter on the blog falls into. He sees this mess as a pure ruby problem and attacks ruby instead of stepping back and trying to figure out why this affects him as well.

[1] e.g. like npm, which helpfully states that packages should be inspected before installing them. How many people do you expect to actually do that?

You're exactly right to bring up the issues with code distribution (e.g. for CPAN, PyPI), but the YAML usage is a more general/different problem. As far as I understand it Ruby on Rails would have been vulnerable even if you installed it from cryptographically-signed tarballs without any additional code from Rubygems.

But pointing out that other languages don't have super-secure code distribution systems doesn't change that they at least understand the danger of deserializers that can run arbitrary code or create arbitrary objects, especially when Ruby is also weak in this area.

At least for Python I would hope that had learned their lesson in 2011 when some popular third-party Django plugins used YAML.load instead of YAML.safe_load, instead of waiting for this. Of course, RoR devs might have noticed the same issue at that time, but there's nothing we can do about it now.

See, there's a lot more to ruby than rails - I love and use padrino, since it doesn't include as much magic. It doesn't suffer from the rails vulnerabilities caused by the yaml usage. There's also a problem, that in ruby yaml is the to-go marshalling and config format, thats what allowed the attack against rubygems. But now, suddenly all ruby applications were in danger - even my apps, even though I don't use yaml. Shell-scripts, daemons, everything that uses ruby - whether it uses yaml.load or safe_yaml.load. Chef and Puppet were at risk - and those provide root access to hundreds of servers, machines that don't even run ruby apps.

And that is because gems are not signed. If gems were signed, all of this would be a major nuisance, but with limited fallout. Signatures would get checked, approved, done - no matter which attack was used to get to the gem repo. There will be more attacks, using other vectors - a kernel exploit, a webserver exploit, a mail account hacked into. And containing that fallout is way more important. And that's the lesson that needs to be learned by all language communities: Code distribution needs to be secured since otherwise a single attack puts the whole community at risk.

So feel free to point at the python docs and pretend that that's the lack of insight about yaml is what caused the problem. It's the spark that blasted the powder keg, but we were sitting on it long before.

> emotionally-detached analysis of certain pieces of software

Really ? Ok so please expose us your analysis if you have one instead of repeating again an again your supposed conclusion without giving us any argument.