On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things.
Sure, it's irrelevant. It's also indicative of attitude, which the community increasingly gets accused of.
First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service.
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important. Yep, it's hard to send out a lot of email. Yep, great job everyone in getting security issues out. We're in this together, my post was an offer of help. -- Boris Mann Vancouver 778-896-2747 San Francisco 415-367-3595 SKYPE borismann http://www.bryght.com