That's not super obvious or convenient for new or casual users. You could make the same argument about images; Just make a new repository (or gist) and put an image in it, then link to it!
Since there are no organization private gists [1] you can't use that method for private repositories.
[1] A gist can only be "private" in the sense that it's not listed on the public gist page. No access control takes place once someone guesses the url. That's probably good enough for most uses, but not for all.
If you look at the reviews at IMDB you will see something strange. Most of the reviews are either 1 or 10 stars. I feel like some kind of gaming of the IMDB ratings is happening.
That's not gaming. If a movie is rated 4 stars on IMDB but you think it should be 5, you won't rate it 5, you'll rate it 10 because that pulls the average closer to 5. Likewise, if it's rated 5 stars but you think it should be 4, you might rate it 1.
"Your Basecamp Classic URL (which looks like yoursubdomain.basecamphq.com) stays the same. New Basecamp accounts are hosted on the basecamp.com domain. New Basecamp accounts don't have subdomains, so all accounts are at basecamp.com."
It looks like they're gradually simplifying. They originally launched with a range of domains you could choose from: projectpath.com, clientsection.com, grouphub.com, etc. with a subdomain. Then it went to subdomains on basecamphq.com, and now just basecamp.com with no subdomains.
That's exactly what happened. It was actually confusing for people since different people on the same project were referring to Basecamp with different names. That's one of the reasons we migrated everyone to basecamphq.com and now, basecamp.com on the new accounts.
I would expect the guy who found an issue with GitHub to report it to them. Yes, the rails people could have, should have.. But they explicitly asked "him" to report and there is no word on whether he did it or not.
You're stating the obvious. Egor Homakov should have done a lot of things differently. But there is little that can be done about the behavior of bad actors in the rails community. With people on the team, it's different. Practices can be audited, mistakes can be pointed out, and the fine people in the Rails team can respond to criticism and improve their performance.
If an app makes it possible to do SQL injections, whose fault is it?
What Rails have done is to have a particular default (whose correctness can be debated) and document how it can be exploited and how to safeguard from it.
You didn't really answer my question. Rails has all the helpers in place to sanitize input for SQL injection. Why in that case do they apply the defaults and not do so in this case? They both amount to making unwanted DB modifications.
