If you really feel this is the better way to go I'd suggest a change of strategy. The current process is not only popular but works well and is useful. If there is going to be a change from it to something else there needs to be a an obvious benefit that works with the cost/time/resources needed to do such a thing. Put together a proposed change from the current setup, preform a cost benefit analysis on that, and then try to sell the people who can affect a change on this in the drupal community. In trying to sell them show them the personal benefit to them and the community over the current process. (You aren't doing this now and seem to be alienating the very people you need to sell this to.) If you don't think you can sell them or this seems like too much work I'd suggest saving face and backing down on this issue. Otherwise a bunch of us have to read emails (or spend time deleting them) in what is turning into an unproductive conversation. Quoting Web Developer <lapurd@gmail.com>:
Is it everybody here so quick to see another person logic flaw, where in fact you just have to think a little further?
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Alex
Patrick Teglia wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.
I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for.
Patrick Teglia
On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.