[development] Re: [support] Drupal 4.6.6/4.5.8 security releases
boris at bryght.com
Tue Mar 14 19:42:47 UTC 2006
On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
>>> Thanks for the appreciation of our hard work and your discreet
>>> letter to them security team that the sending security
>>> newsletters were forgotten. They were written just waited for
>> Karoly: this is still a valid point. The security advisories
>> *must* go out first, privately, before the public announcement.
> No. While some people think it is preferred to send the e-mail
> announcements first, it is still pretty much irrelevant in the
> larger scheme of things.
Sure, it's irrelevant. It's also indicative of attitude, which the
community increasingly gets accused of.
> First, there are NO private security announcements; both the
> announcement on drupal.org AND the security announcement mailing
> list are PUBLIC. Script kiddies can subscribe to the e-mail
> notifications as well. Chances are that they receive their e-mail
> notifications before you do. The mailing list is a publicly
> accessible notification mechanism, not an exclusive service.
My point being that a gap between the send out and web-based posting
gives, at least, the appearance of a "heads up". And appearances are
important. Yep, it's hard to send out a lot of email. Yep, great job
everyone in getting security issues out. We're in this together, my
post was an offer of help.
Vancouver 778-896-2747 San Francisco 415-367-3595
More information about the development