On Mon, 13 Mar 2006 15:47:59 -0800 Boris Mann wrote:
The security advisories *must* go out first, privately, before the public announcement.
what exactly is "private" supposed to mean? only to the security announcements list? anyone can join that list, including malicious drupal would-be-hackers. i don't mean to be harsh, but this request seems useless. drupal's strengths (regarding security) come from quick releases, totally transparent source, a large community of developers, an emphasis on security during development and patch reviews, and a release methodology that lends itself to making security releases that only fix bugs and security holes, not adding new things that might break people's site when they try to upgrade. if there are security flaws, better we a) fix them quickly (which we do), and b) tell everyone to upgrade ASAP, by all means at our disposal (which we do). trying to hide the problems and give the innocent users a chance to upgrade before the mean people find out is an utterly lost cause. -derek p.s. i'd also like to add my voice to the chorus of appreciation for the 4.6.6 release...