[consulting] preparing clients for Drupal 5 obsolesence
Greg Knaddison
greg.knaddison at gmail.com
Wed Mar 11 17:52:14 UTC 2009
On Wed, Mar 11, 2009 at 11:43 AM, Christian Pearce
<christian at pearcec.com> wrote:
> http://openflows.com/drupal/security
Which is awesome for backports, but at least to this point I don't
think there has been coordination for vulnerabilities that only exist
in unsupported releases.
Consider:
A researcher finds security hole in an old, unsupported version of
core. They either don't report it (why bother on EOL'd software) in
which case the communication ends OR
do report it to the security team in which case the security team
thanks them for the research and reminds them that the version is
unsupported at which point the communication ends.
And now people on EOL software are running it without a fix for a
somewhat known vulnerability.
Regardless of where the end of communication comes....the result
remains the same. Running EOL'd software is a stopgap measure and
should not be promoted.
Greg
--
Greg Knaddison
http://knaddison.com | 303-800-5623 | http://growingventuresolutions.com
More information about the consulting
mailing list