http://drupal.org/security-team#report-issue It's on the top of every "Submit Issue" page on drupal.org. Any code that is in an official release of Drupal is 100% open. Nothing in the GPL prevents the bug fixes *prior* to release from being performed in a non-public manner. -Mike On Oct 1, 2008, at 12:40 AM, Drupal Developer wrote:
Wow, I would like everybody to notice something right here.
In the message I reply to, Matt Farina said:
"The security team handles things in a tight way. When something is reported it's not opened up to the world. If the issue is valid it's handled behind closed doors until a fix and advisory is sent out." / end of citation/
I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?
I'm very concern about that and invite everybody to collaborate on this one.
Does Matt represent a real situation at this matter in Drupal development community? If not, then I'm sure that many people would like to know exactly what the process is for handling security issues from the moment they have been reported?
__________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net