On Jan 17, 2008, at 1:07 PM, DragonWize wrote:
if they are watching the logs (which they most likely are, to what is extent is debatable) then they know when the security hole is committed which is long before the fix is committed. I can not make it any clearer that, IMHO, that reason is full of false hope.
There's a *huge* volume of existing code. New hackers are coming around all the time, but I doubt they're going to be able to immediately audit everything all at once. I suspect (but have no proof) that many are looking at changes, and starting to methodically search for problems, but haven't yet completely grokked the entire existing codebase. Maybe I'm just being overly optimistic about this bit of security by obscurity. ;) I'm guessing that in the cost/ benefit analysis of a hacker, it's better to really focus on the most popular contribs first, since exploits you might find will have a better "payoff". It does far more good to watch views, cck, pathauto, etc, with everything you've got, than to wade through the vast swamp of modules that are only used by dozens, not thousands of sites. Either way, I maintain it still does *not* hurt to avoid calling any public attention at all to a known vulnerability, until there's an official release that fixes it which all of your users could immediately upgrade to as soon as they're notified. The "good" users can't upgrade anyway, and if nothing else, it means sites are only vulnerable to the sophisticated, rich hackers, not the "half-wit" script-kiddies that are trying to exploit lower hanging fruit as it streams by their RSS readers. If the security team had many more resources and a lot more automated/ streamlined process (which I think webchick's proposal gets us much closer to), we could potentially move to a weekly rhythm for security updates. Every wednesday would become security day, and anything fixed in the previous week would be disclosed and released. Drupal site maintainers would get used to running "drush pm update"[1] for all their sites a few times throughout near the end of the day on wednesday. :) Most people could just setup cron jobs to do that, if they really wanted (though module maintainers would have to become even more aware and careful about how they handle release management for their contributions, and conquer the (in the end, relatively simple) art of making sure you commit the right patches to the right branch(es) at the right time in the right order. -Derek (dww)