On Oct 20, 2006, at 8:02 AM, inkfree press wrote:
I don't know about "active role", but I do know about "passive role", which I addressed by subscribing to that list.
you're slightly confused on the 2 lists people are talking about: 1) the security announcement newsletter. this is a broadcast-only list for all security announcements. all 90K+ users of drupal.org should be subscribed to this, if they know what's good for them. no discussion, low traffic, just the security alerts. 2) the "security@drupal.org" list. this is a closed list, that only the security team is subscribed to. however, anyone can post to it. this is where end users and contrib maintainers who discover or suspect a security issue can post it without it immediately being publicly disclosed to the world. it gives the people who know a chance to verify the hole, assess the threat, coordinate a response, and, where necessary, create a new set of releases. the security team uses this list amongst themselves to discuss things, along with the invite-only #drupal-security room on IRC. so, subscribing to the announcement newsletter isn't a "passive role" on the security team, it's the bare minimum for any sane site admin with a pulse. ;) what dries was talking about is that interested parties should send an email to security@drupal.org introducing yourself and explaining what kind of help you're prepared to give, and see what happens. hope that helps clarify. i, personally, am thrilled by the security team, their efforts, and the policies for security that drupal has adopted. i've suggested similar infrastructure and policy for other open source projects i'm involved in, now that i've seen the light. ;) as killes pointed out, drupal.org provides better security for users of their software than just about anything you can find anywhere, giant for-profit companies included. 10 cheers for heine and everyone else. that said, i think everyone is open to improvements, and i agree with the basic suggestions people are making. even though what we have is great, the Drupal Way(tm) is to keep making things better... ;) thanks, -derek p.s. for the record, i sent exactly such an introduction email to the security team about 1/2 year ago, and basically have never been contacted by them for anything. perhaps in the transition from chx -
heine, my offer was lost in the cracks. i have discovered security holes in project.module and made releases and sec. announcements for them back in april (when i first offered to be a more active member of the sec. team), but otherwise, i haven't had any direct interaction with the security team. if y'all are feeling understaffed and overworked, perhaps you could make better use of the people like myself who've already volunteered to help. maybe we need a security-volunteers@drupal.org list for this 2nd tier of developers: not the official team, but the (if i may say so) clueful people who want to help, and can be called upon to discuss patches, assess problems in contrib caused by new versions of core, whatever. just a thought.