[development] Re: [support] Drupal 4.6.6/4.5.8 security releases

Boris Mann boris at bryght.com
Tue Mar 14 19:42:47 UTC 2006


On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:

>>> Thanks for the appreciation of our hard work and your discreet  
>>> letter to them security team that the sending security  
>>> newsletters were forgotten. They were written just waited for  
>>> sending.
>>
>> Karoly: this is still a valid point. The security advisories  
>> *must* go out first, privately, before the public announcement.
>
> No.  While some people think it is preferred to send the e-mail  
> announcements first, it is still pretty much irrelevant in the  
> larger scheme of things.

Sure, it's irrelevant. It's also indicative of attitude, which the  
community increasingly gets accused of.

> First, there are NO private security announcements; both the  
> announcement on drupal.org AND the security announcement mailing  
> list are PUBLIC.  Script kiddies can subscribe to the e-mail  
> notifications as well.  Chances are that they receive their e-mail  
> notifications before you do.  The mailing list is a publicly  
> accessible notification mechanism, not an exclusive service.

My point being that a gap between the send out and web-based posting  
gives, at least, the appearance of a "heads up". And appearances are  
important. Yep, it's hard to send out a lot of email. Yep, great job  
everyone in getting security issues out. We're in this together, my  
post was an offer of help.

--
Boris Mann
Vancouver 778-896-2747 San Francisco 415-367-3595
SKYPE borismann
http://www.bryght.com



More information about the development mailing list