On Jan 18, 2008, at 4:14 AM, Gerhard Killesreiter wrote:
Maybe you shouldn't post that Grand Plan to a public mailing list and make people expecting things.
It's an open source project. Once in a while, people respond to my publicly available grand plans and offer to help. Occasionally, they even follow through with those offers and actually do something productive. After close to 2 years of struggling, I'm finally getting more people involved in working on project*, CVS, infrastructure, etc.
We shouldn't just start to invest a great deal of time into something because a single person refuses to understand security concepts.
While we might disagree with some of their points, DragonWize and David Metzler (note: N>1) clearly understand security concepts. They (and probably others) just question some aspects of our workflow that neither side can prove conclusively. No offense, but the "just because a lone renegade refuses to understand why I'm clearly right" attitude is utterly unhelpful in this discussion, especially since (until now), everyone participating has been basically reasonable and respectful. That aside, the system proposed by webchick and elaborated by me would have a large number of improvements over the workflow we have now. I predict it will save significant time and resources in the near future (no more manually creating project nodes on sec.d.o, much less frequently creating the issues themselves, less often drafting the SAs, easier time managing and testing patches, less time tracking communication with the module authors since we won't have to manually paste emails into issues on sec.d.o, automated QA testing of core security patches, etc), regardless of whether or not the people who have disagreed with certain aspects of our current workflow will be more happy with it.
I fully agree that your proposal has merit and would improve the workflow. But would the amount of time that needs to be poured into justify the degree of improvement?
I think the benefits are huge, and the initial time that needs to be poured in is actually relatively small. Most of the tools already exist, support what we need them to do, and are well understood. It just depends on who volunteers to help to write some of the glue to tie it all together.
You probably guess where I deem your time better spent...
a) Feel free to help raise money for what you'd rather I was working on. b) Again, it seems you didn't read my message: On Jan 18, 2008, at 1:08 AM, Derek Wright wrote:
As always, webchick, I'd love to work with you on this. I'd just be thrilled to see some other hands show up. You and I end up working together on a lot of improvements to Drupal on our own (in spite of our nearly constant efforts to try to get others involved)...
Cheers, -Derek