[development] Re: [support] Drupal 4.6.6/4.5.8 security releases

[Dries Buytaert]

>> Thanks for the appreciation of our hard work and your discreet  
>> letter to them security team that the sending security newsletters  
>> were forgotten. They were written just waited for sending.
>
> Karoly: this is still a valid point. The security advisories *must*  
> go out first, privately, before the public announcement.

No.  While some people think it is preferred to send the e-mail  
announcements first, it is still pretty much irrelevant in the larger  
scheme of things.

First, there are NO private security announcements; both the  
announcement on drupal.org AND the security announcement mailing list  
are PUBLIC.  Script kiddies can subscribe to the e-mail notifications  
as well.  Chances are that they receive their e-mail notifications  
before you do.  The mailing list is a publicly accessible  
notification mechanism, not an exclusive service.

Secondly, there will _always_ be a gap between the time we send out  
the announcements and the time you upgrade your site.  Always.  For  
example, we released Drupal 4.6.6 while Europe was sleeping.   
Assuming people arrive at the office around 9:00am, they suffered  
from a 8 hour gap.  (I'm on the train to work as I write this.)    
Next time, chances are we send out the announcements while the US is  
sleeping.

In short, if you can't deal with security issues being disclosed  
publicly (and the time gaps inherent to that), Free and Open Source  
Software (FOSS) might not be for you.  You need a Service Level  
Agreement (SLA).

--
Dries Buytaert  ::  http://www.buytaert.net/