On Oct 1, 2008, at 3:37 AM, Web Developer wrote:
It is just sad that the only thing you see in my notes is intention to get this kind of information at soon as possible.
It is just sad that you're not paying attention to what we're saying. Another reason you probably wouldn't be a good fit for the security team. ;) I explicitly wrote:
If you said "I'm really interested in security and want to help fix vulnerabilities, here are my skills I'm bringing to the table, references that prove [sic] I'm not malicious, etc", we'd strongly consider it.
You *never* said *anything* like that in this entire thread. All you've said can be summarized with these 3 quotes: 1) "I thought that Drupal is an open community of open source developers working under GPL license. Does it mean that ALL issues have to be openly reported to all community for everybody to review? Don't you all think that handling security issues behind closed doors until a fix and advisory will be sent out is sound more like corporate way of thinking on a way to develop something proprietary?" 2) "All what I meant is all developers in the community would like to have at least a clue about what security issues are discovered. And deal with them on temporary basis on they own sites until final solution will be published." 3) "Okay, what is procedure then in order to join security forces here? If that is the only way to get information necessary to get the picture about latest security issues." Many of us have tried to point out the weaknesses in the logic of #1 and #2, and tried to explain why #3 is not a sufficient reason to join the security team. You've just kept coming back saying that the security team is closed (true), corporate (false), and that no one is reading between the lines of your messages that what you *really* mean is "I'd love to help fix vulnerabilities because I'm a security expert and I have an established track record of closing exploits through careful audits, thorough testing, and responsible disclosure." Please. I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure". It's ok to be outvoted, just be honest and graceful about it and no one will think poorly of you... -Derek (dww)