Boris Mann wrote:
On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things.
Sure, it's irrelevant. It's also indicative of attitude, which the community increasingly gets accused of.
This isn't new and I still don't give a damn. The increase of insults isn't higher than the increase in # of users, I think.
First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service.
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important.
If you want to have a professional appearance you will need to find the funds to pay people (or somehow coax them otherwise).
Yep, it's hard to send out a lot of email. Yep, great job everyone in getting security issues out. We're in this together, my post was an offer of help.
Well, seems we are getting somewhere, then. Write to the sec list and explain how you can help. Cheers, Gerhard