On Jan 17, 2008 6:51 PM, David Metzler <metzlerd@metzlerd.com> wrote:
On Jan 17, 2008, at 2:37 AM, andrew morton wrote:
On Jan 16, 2008 9:08 PM, David Metzler <metzlerd@metzlerd.com> wrote:
2. It seems to take the RTBC decision out of the contrib module...
Not at all, they don't write the patch for you, you and your co-maintainers come up with the fix. You RTBC it... As for any secondary reviews by the security team extending the vulnerability window, they've been very prompt when I've dealt with them and I appreciated the second set of eyes. I'd feel really dumb posting a security fix that didn't actually fix the bug but brought it to everyone's attention.
I'm not doubting the intentions of the security team, nor the need for quality code review, just the assumption that the fastest way to get a release into the hands of the users is always done by single threading this through the security team.
We simultaneously send a security announcement (SA) to the 13k subscribers. We can't give module maintainers permission to do that, mailing lists of that size have to be treated with care. It does add extra time to the module's release cycle, we do a batch of security releases twice a month. We do our best to make sure everyone, from back hats to non-technical webmasters, know about the vulnerability at the same time. -- Neil Drumm http://delocalizedham.com