On 27 May 2006, at 22:52, Steven Peck wrote:
In my view, given the pain and suffering people who did not and do not upgrade due to security issue's, it is ir-responsible to make such vulnerable releases easily available. It does an incredible disservice to both the people still running insecure sites and the Drupal community at large. If I recall, part of the reason for this decision originally was such a public exploit. Spreadfirefox was running an old unpatched codebase. We had to deal with the fallout from that for several months and we had provided many notices to many people. This is the worst posible publicity.
I think your mixing two things up: 1. Keeping insecure code available. 2. People not upgrading. It's pretty obvious that 1 and 2 are not related one to another. Would SFX have upgraded when we deleted the old tarballs? Not likely. Did anyone accuse us from keeping insecure code around when SFX got hacked? Not a single person. The same is true for your company's story. A virus hit you guys pretty hard. Your company screwed up, not the anti-virus software vendor. Would you have upgraded your software if the anti-virus software vendor deleted the old tarballs? Not likely. Did you sue the anti-virus software vendor for not deleting outdated versions of their software? Not likely. -- Dries Buytaert :: http://www.buytaert.net/