El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
It's a problem only here, or the list where the security advisories are supposed to be sent, is completely useless? By pure luck, I've checked my news aggregator, and I've found the new release which fixes 4 security bugs, but I haven't received _anything_ from the mailing list yet (which I check a lot more often). I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard. -- Alex (a.k.a. suy) - GPG ID 0x0B8B0BC2 http://barnacity.net/ - Jabber ID: suy@bulmalug.net
On Tue, 14 Mar 2006 00:24:40 +0100, Alejandro Exojo <suy@kurly.org> wrote:
El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
It's a problem only here, or the list where the security advisories are supposed to be sent, is completely useless?
By pure luck, I've checked my news aggregator, and I've found the new release which fixes 4 security bugs, but I haven't received _anything_ from the mailing list yet (which I check a lot more often).
I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard.
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
On 13-Mar-06, at 3:33 PM, Karoly Negyesi wrote:
On Tue, 14 Mar 2006 00:24:40 +0100, Alejandro Exojo <suy@kurly.org> wrote:
El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard.
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement. Do you need help with this next time? I'll volunteer to help manage this. -- Boris Mann Vancouver 778-896-2747 San Francisco 415-367-3595 SKYPE borismann http://www.bryght.com
Boris Mann wrote:
On 13-Mar-06, at 3:33 PM, Karoly Negyesi wrote:
On Tue, 14 Mar 2006 00:24:40 +0100, Alejandro Exojo <suy@kurly.org> wrote:
El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard.
My dissapointment with the kind of users Drupal attracts is beyond description.
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
Yeah, the five minutes that saved the world... I am still wondering why I am spending my time doing security releases at all. The only responses we get consist of bitching about minor issues and auto responders.
Do you need help with this next time? I'll volunteer to help manage this.
The security team can certainly need some help. One would think that the people who as of recently are Drupal's saviours when it comes to enterprise solutions would be eager to spend some ressources on this. Cheers, Gerhard
Personally I think the drupal community is coming along finely. Don't let the noisy minority get you down, there is a lot of good work going on and a lot of people that do appreciate it. And now back to your regularly scheduled 4.7 development. On 3/13/06, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Boris Mann wrote:
On 13-Mar-06, at 3:33 PM, Karoly Negyesi wrote:
On Tue, 14 Mar 2006 00:24:40 +0100, Alejandro Exojo <suy@kurly.org> wrote:
El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard.
My dissapointment with the kind of users Drupal attracts is beyond description.
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
Yeah, the five minutes that saved the world...
I am still wondering why I am spending my time doing security releases at all. The only responses we get consist of bitching about minor issues and auto responders.
Do you need help with this next time? I'll volunteer to help manage this.
The security team can certainly need some help. One would think that the people who as of recently are Drupal's saviours when it comes to enterprise solutions would be eager to spend some ressources on this.
Cheers, Gerhard
On 13-Mar-06, at 10:10 PM, Gerhard Killesreiter wrote:
The security team can certainly need some help. One would think that the people who as of recently are Drupal's saviours when it comes to enterprise solutions would be eager to spend some ressources on this.
Security updates for 4.6 are definitely important to the company I work for.. I can try to make myself (or maybe someone else at the office :) ) available to help. What's the process to sign up? -Rowan
Rowan Kerr wrote:
On 13-Mar-06, at 10:10 PM, Gerhard Killesreiter wrote:
The security team can certainly need some help. One would think that the people who as of recently are Drupal's saviours when it comes to enterprise solutions would be eager to spend some ressources on this.
Security updates for 4.6 are definitely important to the company I work for.. I can try to make myself (or maybe someone else at the office :) ) available to help. What's the process to sign up?
I guess a letter of introduction to the security list would be a good thing to do. Cheers, Gerhard
On Tue, 14 Mar 2006 11:11:12 +0100 Gerhard Killesreiter wrote:
I guess a letter of introduction to the security list would be a good thing to do.
by which you mean sending email to "security@drupal.org"? based on reading the docs i could find, it doesn't look like that's a list just anyone can subscribe to (for good reason). so, if we want to help, we just send something there, say who we are, what skills/resources we have, offer our services, and wait for someone to contact us with something to do? just trying to get a better sense of what the security team has in mind for "outside" help. guidelines like this would be useful so that folks who want to help don't generate more work by sending too little or too much info, or send it to the wrong place. thanks, -derek
Op dinsdag 14 maart 2006 11:11, schreef Gerhard Killesreiter:
I guess a letter of introduction to the security list would be a good thing to do.
If people cannot find their way to the (already well marketed) securoty mailing list, RSS feed, online postings and mailinglist announcements. They should not run sites. If you cannot spend that minor time on a daily/hourly basis to upgrade your site. AND to find your information when and how to do so, you should not run a Drupal site. People who feel "its too much work to keep Drupal secure" or who find that "Drupal lacks proper security systems" have (IMNSO) two options: * Buy support. Bryght is the one name popping in my mind, but I am sure there are smaller services too. You can even train one employee for this in your organisation. * Get involved and improve it. If you know how stuff should be done. And if you can provide the time, effort and work Dries, Karoly and Gerhard spend on this, then please do so! And no, unfortunately that is not about "typing a mail in your afternoonbreak" We are talking 23.00 - 02.00 overtime meetings. These people spend nights of their life to get YOUR security updates out in a proper way. I am rather dissapointed by the flames trown at these people who managed to build YOUR security patches. Test them. Maintain them. Get them online. Type annoucements for them. They should get (y)our applause. Or donations titled "thanks for the quick and nicely managed security patch". Not bithching abot some mail being sent out before another one. Gerhard, Karoly, Dries, and all others involved, a big thanks for this hard work! Bèr
Bèr Kessels wrote:
Op dinsdag 14 maart 2006 11:11, schreef Gerhard Killesreiter:
I guess a letter of introduction to the security list would be a good thing to do.
If people cannot find their way to the (already well marketed) securoty mailing list,
The security list I was talking about is security@drupal.org and is by invitation only. It is also only open for people who are willing and able to help with creating security releases. This does not mean "coders only", I think. The last security release was (among otther reasons) delayed because nobody wrote the release announcement. Cheers, Gerhard
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things. First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service. Secondly, there will _always_ be a gap between the time we send out the announcements and the time you upgrade your site. Always. For example, we released Drupal 4.6.6 while Europe was sleeping. Assuming people arrive at the office around 9:00am, they suffered from a 8 hour gap. (I'm on the train to work as I write this.) Next time, chances are we send out the announcements while the US is sleeping. In short, if you can't deal with security issues being disclosed publicly (and the time gaps inherent to that), Free and Open Source Software (FOSS) might not be for you. You need a Service Level Agreement (SLA). -- Dries Buytaert :: http://www.buytaert.net/
On Tue, 2006-03-14 at 09:12 +0100, Dries Buytaert wrote:
are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service.
I hope no one took my script kiddie non-sense seriously. There is no real defense against a true 0-day hacker, except proactive security audits. Script kiddies normally take a while to figure out how to implement their exploits, and how they can effectively be used. 5 minutes - 1 week probably won't kill you. .darrel.
On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things.
Sure, it's irrelevant. It's also indicative of attitude, which the community increasingly gets accused of.
First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service.
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important. Yep, it's hard to send out a lot of email. Yep, great job everyone in getting security issues out. We're in this together, my post was an offer of help. -- Boris Mann Vancouver 778-896-2747 San Francisco 415-367-3595 SKYPE borismann http://www.bryght.com
On Tue, 14 Mar 2006 11:42:47 -0800 Boris Mann wrote:
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important.
not if: 1) the would-be-hackers are on that list (which you can almost certainly guarantee) 2) there are (perfectly reasonable) delays delivering that much email i still maintain it's utterly pointless, even from the standpoint of marketing and appearance, to try to warn the "good" users before the "bad" ones find out. the best defense is still rapid announcements by all possible channels, including the front page of drupal.org, and hope the site admins are on the ball enough to apply the updates in a timely manner. if not, that's their problem, not ours (we did the best we could). any delay in the process is just going to give would-be-hackers subscribed to the security announcement list an (albeit small) advantage. if we fostered the illusion that "private" notifications (to a public list!) are helping sites stay 1 step ahead of the riff-raff, we're just giving people a false sense of security. the site admins with a clue (the ones we care about in terms of build a larger community of people providing productive contributions back to drupal) will quickly realize how silly this is, and their opinions of our security practices will (rightfully) go down. if we want to be considered (in terms of marketing/appearances) a highly secure CMS, we should continue to *be* highly secure, not cater to people's incorrect assumptions about what makes something secure. thanks, -derek
Boris Mann wrote:
On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
Thanks for the appreciation of our hard work and your discreet letter to them security team that the sending security newsletters were forgotten. They were written just waited for sending.
Karoly: this is still a valid point. The security advisories *must* go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail announcements first, it is still pretty much irrelevant in the larger scheme of things.
Sure, it's irrelevant. It's also indicative of attitude, which the community increasingly gets accused of.
This isn't new and I still don't give a damn. The increase of insults isn't higher than the increase in # of users, I think.
First, there are NO private security announcements; both the announcement on drupal.org AND the security announcement mailing list are PUBLIC. Script kiddies can subscribe to the e-mail notifications as well. Chances are that they receive their e-mail notifications before you do. The mailing list is a publicly accessible notification mechanism, not an exclusive service.
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important.
If you want to have a professional appearance you will need to find the funds to pay people (or somehow coax them otherwise).
Yep, it's hard to send out a lot of email. Yep, great job everyone in getting security issues out. We're in this together, my post was an offer of help.
Well, seems we are getting somewhere, then. Write to the sec list and explain how you can help. Cheers, Gerhard
On 14-Mar-06, at 1:35 PM, Gerhard Killesreiter wrote:
My point being that a gap between the send out and web-based posting gives, at least, the appearance of a "heads up". And appearances are important.
If you want to have a professional appearance you will need to find the funds to pay people (or somehow coax them otherwise).
Yep, it's hard to send out a lot of email. Yep, great job everyone in getting security issues out. We're in this together, my post was an offer of help.
Well, seems we are getting somewhere, then. Write to the sec list and explain how you can help.
As I said, I'll volunteer to write security release notes. -- Boris Mann Vancouver 778-896-2747 San Francisco 415-367-3595 SKYPE borismann http://www.bryght.com
On Mon, 13 Mar 2006 15:47:59 -0800 Boris Mann wrote:
The security advisories *must* go out first, privately, before the public announcement.
what exactly is "private" supposed to mean? only to the security announcements list? anyone can join that list, including malicious drupal would-be-hackers. i don't mean to be harsh, but this request seems useless. drupal's strengths (regarding security) come from quick releases, totally transparent source, a large community of developers, an emphasis on security during development and patch reviews, and a release methodology that lends itself to making security releases that only fix bugs and security holes, not adding new things that might break people's site when they try to upgrade. if there are security flaws, better we a) fix them quickly (which we do), and b) tell everyone to upgrade ASAP, by all means at our disposal (which we do). trying to hide the problems and give the innocent users a chance to upgrade before the mean people find out is an utterly lost cause. -derek p.s. i'd also like to add my voice to the chorus of appreciation for the 4.6.6 release...
On Tue, 2006-03-14 at 00:24 +0100, Alejandro Exojo wrote:
El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
are now available. See drupal.org/node/53524
It's a problem only here, or the list where the security advisories are supposed to be sent, is completely useless?
By pure luck, I've checked my news aggregator, and I've found the new release which fixes 4 security bugs, but I haven't received _anything_ from the mailing list yet (which I check a lot more often).
I'm really very disappointed about how the Drupal project is handling releases and security advisories. IMHO, it's the worst "big" free software project in this regard.
Wow, that whole lag between notifiction channels... I can see the script kiddies firing up their bots trying to exploit sites between when the notifications are sent on the dev list, posted to drupal.org, and sent to the security list... .darrel. --I think I'm in a slightly sarcastic mood today.
Maybe the lack of a security email announcement is related to the fact that drupal.org seems to be down right now. (?) Best, Laura Laura Scott President laura@pingv.com pingVision, LLC 4450 Arapahoe Ave, Suite 100 Boulder, CO 80303 www.pingv.com 303.415.2559 On Mar 13, 2006, at 5:03 PM, Gerhard Killesreiter wrote:
are now available. See drupal.org/node/53524
Cheers, Gerhard
participants (11)
-
Alejandro Exojo -
Boris Mann -
Bèr Kessels -
Darrel O'Pry -
Derek Wright -
Dries Buytaert -
Gerhard Killesreiter -
James Gilliland -
Karoly Negyesi -
Laura Scott -
Rowan Kerr