[development] Re: [support] Drupal 4.6.6/4.5.8 security releases

Derek Wright derek at dwwright.net
Tue Mar 14 08:24:33 UTC 2006

On Mon, 13 Mar 2006 15:47:59 -0800  Boris Mann wrote:

> The security advisories *must* go out first, privately, before the
> public announcement.

what exactly is "private" supposed to mean?  only to the security
announcements list?  anyone can join that list, including malicious
drupal would-be-hackers.  i don't mean to be harsh, but this request
seems useless.  drupal's strengths (regarding security) come from
quick releases, totally transparent source, a large community of
developers, an emphasis on security during development and patch
reviews, and a release methodology that lends itself to making
security releases that only fix bugs and security holes, not adding
new things that might break people's site when they try to upgrade.

if there are security flaws, better we a) fix them quickly (which we
do), and b) tell everyone to upgrade ASAP, by all means at our
disposal (which we do).  trying to hide the problems and give the
innocent users a chance to upgrade before the mean people find out is
an utterly lost cause.


p.s. i'd also like to add my voice to the chorus of appreciation for
the 4.6.6 release...

More information about the development mailing list