Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things. First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service. Secondly, there will _always_ be a gap between the time we send out the announcements and the time you upgrade your site. Always. For example, we released Drupal 4.6.6 while Europe was sleeping. Assuming people arrive at the office around 9:00am, they suffered from a 8 hour gap. (I'm on the train to work as I write this.) Next time, chances are we send out the announcements while the US is sleeping. In short, if you can't deal with security issues being disclosed publicly (and the time gaps inherent to that), Free and Open Source Software (FOSS) might not be for you. You need a Service Level Agreement (SLA). -- Dries Buytaert :: http://www.buytaert.net/