[development] Re: [support] Drupal 4.6.6/4.5.8 security releases
dries.buytaert at gmail.com
Tue Mar 14 08:12:47 UTC 2006
>> Thanks for the appreciation of our hard work and your discreet
>> letter to them security team that the sending security newsletters
>> were forgotten. They were written just waited for sending.
> Karoly: this is still a valid point. The security advisories *must*
> go out first, privately, before the public announcement.
No. While some people think it is preferred to send the e-mail
announcements first, it is still pretty much irrelevant in the larger
scheme of things.
First, there are NO private security announcements; both the
announcement on drupal.org AND the security announcement mailing list
are PUBLIC. Script kiddies can subscribe to the e-mail notifications
as well. Chances are that they receive their e-mail notifications
before you do. The mailing list is a publicly accessible
notification mechanism, not an exclusive service.
Secondly, there will _always_ be a gap between the time we send out
the announcements and the time you upgrade your site. Always. For
example, we released Drupal 4.6.6 while Europe was sleeping.
Assuming people arrive at the office around 9:00am, they suffered
from a 8 hour gap. (I'm on the train to work as I write this.)
Next time, chances are we send out the announcements while the US is
In short, if you can't deal with security issues being disclosed
publicly (and the time gaps inherent to that), Free and Open Source
Software (FOSS) might not be for you. You need a Service Level
Dries Buytaert :: http://www.buytaert.net/
More information about the development