On Tue, 14 Mar 2006 11:42:47 -0800 Boris Mann wrote:
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important.
not if: 1) the would-be-hackers are on that list (which you can almost certainly guarantee) 2) there are (perfectly reasonable) delays delivering that much email i still maintain it's utterly pointless, even from the standpoint of marketing and appearance, to try to warn the "good" users before the "bad" ones find out. the best defense is still rapid announcements by all possible channels, including the front page of drupal.org, and hope the site admins are on the ball enough to apply the updates in a timely manner. if not, that's their problem, not ours (we did the best we could). any delay in the process is just going to give would-be-hackers subscribed to the security announcement list an (albeit small) advantage. if we fostered the illusion that "private" notifications (to a public list!) are helping sites stay 1 step ahead of the riff-raff, we're just giving people a false sense of security. the site admins with a clue (the ones we care about in terms of build a larger community of people providing productive contributions back to drupal) will quickly realize how silly this is, and their opinions of our security practices will (rightfully) go down. if we want to be considered (in terms of marketing/appearances) a highly secure CMS, we should continue to *be* highly secure, not cater to people's incorrect assumptions about what makes something secure. thanks, -derek