On Wed, 23 Jan 2008 09:52:35 -0500 "Khalid Baheyeldin" <kb@2bits.com> wrote:
- I tried to intercept people on IRC asking what to do. - nobody was able to point me to guideline to how to report a security issue, I had the impression no one was responsible for sec issues.
It is here http://drupal.org/node/101494
We get a lot of spam on that mailing list, so it is moderated.
The team is entirely volunteer driven, and the amount of work is very large for it to handle. We recently asked for more volunteers and got maybe 3 responses total.
The process mentioned above spells it out. You should coordinate with security and only commit when the SA is ready.
Please, please, please... if I wrote what I wrote I had good reasons to write it. I'd prefer not to discuss details here. But I'd like to avoid the the impression I'm an asshole and the problem can be ignored. -- Ivan Sergio Borgonovo http://www.webthatworks.it