[consulting] preparing clients for Drupal 5 obsolesence

[Christian Pearce]

On Wed, Mar 11, 2009 at 1:52 PM, Greg Knaddison <greg.knaddison at gmail.com>wrote:

> On Wed, Mar 11, 2009 at 11:43 AM, Christian Pearce
> <christian at pearcec.com> wrote:
> > http://openflows.com/drupal/security
>
> Which is awesome for backports, but at least to this point I don't
> think there has been coordination for vulnerabilities that only exist
> in unsupported releases.
>
> Consider:
> A researcher finds security hole in an old, unsupported version of
> core. They either don't report it (why bother on EOL'd software) in
> which case the communication ends OR
> do report it to the security team in which case the security team
> thanks them for the research and reminds them that the version is
> unsupported at which point the communication ends.
>
> And now people on EOL software are running it without a fix for a
> somewhat known vulnerability.
>
> Regardless of where the end of communication comes....the result
> remains the same.  Running EOL'd software is a stopgap measure and
> should not be promoted.
>

Sure I have considered that.  You make sound as if you are running the
currently supported versions you will never be vulnerable.  Which simply
isn't true, a black hat can find insecure code and keep it secret.  Those
risks always exist.  And you have to safe guard yourself the same way
regardless of the version.

Yea and running EOL software is a stopgap.  And you should plan to upgrade.
But in reality that isn't always possible in the timeframe given.


> Greg
>
> --
> Greg Knaddison
> http://knaddison.com | 303-800-5623 | http://growingventuresolutions.com
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>



-- 
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.drupal.org/pipermail/consulting/attachments/20090312/99c3eb40/attachment.htm>