On Jan 17, 2008, at 11:52 PM, DragonWize wrote:
My two main concerns are:
1. The process has to be simple (ie not like U.S. Tax laws :))
Basically, think of it as the "security" subdomain of d.o. You have a CVS repo, a project node, an issue queue, automated simpletesting, everything you're used to on d.o, but only you, your co-maintainers, your inner circle of alpha/beta testers, and the security team, gets to see it. Is that simple enough?
2. Don't stop me from developing my module. As drupal becomes more a part of my business and my livelihood, taking 2 weeks off is not an option.
Ah ha, another miscommunication has been uncovered, yay! I never said nor meant to imply "halt all development and stop committing any changes to your module until further notice." Feel free to keep developing your module, working on patches in the issue queue, fixing bugs, working on new features in your new feature branches, whatever you want. Just please try not to touch the vulnerable code at all, try to keep your stable branches stable (as always), and definitely try not to disclose the vulnerability in any way. Ideally, if you can hold off for those 0-3 weeks from modifying the vulnerable code at all in the public repo, that'd be best, but we're not going to call you irresponsible or careless traitor to the security of the project if you end up refactoring code that touches the vulnerability or something. We're all reasonable people here, and we're operating on the basic assumption that d.o CVS account holders are willing and trying to Do The Right Thing(tm), given enough information and help. We just ask a similar degree of goodwill and trust that the security team isn't trying to impede on your livelihood as a Drupal developer. Everyone profits and benefits tremendously from our work. In fact, I doubt many people could make a living with Drupal at all if we didn't have as kick-ass a security team as we do (and that's directed at the giants on whose shoulders I'm standing).
If your proposals fulfill these objectives then count me in.
I believe they do. Welcome aboard. :) -Derek (dww)