[development] Re: [support] Drupal 4.6.6/4.5.8 security releases

Derek Wright derek at dwwright.net
Tue Mar 14 20:40:06 UTC 2006

On Tue, 14 Mar 2006 11:42:47 -0800  Boris Mann wrote:

> My point being that a gap between the send out and web-based posting
> gives, at least, the appearance of a "heads up". And appearances are
> important.

not if:

1) the would-be-hackers are on that list (which you can almost
   certainly guarantee)

2) there are (perfectly reasonable) delays delivering that much email

i still maintain it's utterly pointless, even from the standpoint of
marketing and appearance, to try to warn the "good" users before the
"bad" ones find out.

the best defense is still rapid announcements by all possible
channels, including the front page of drupal.org, and hope the site
admins are on the ball enough to apply the updates in a timely manner.
if not, that's their problem, not ours (we did the best we could).
any delay in the process is just going to give would-be-hackers
subscribed to the security announcement list an (albeit small)

if we fostered the illusion that "private" notifications (to a public
list!) are helping sites stay 1 step ahead of the riff-raff, we're
just giving people a false sense of security.  the site admins with a
clue (the ones we care about in terms of build a larger community of
people providing productive contributions back to drupal) will quickly
realize how silly this is, and their opinions of our security
practices will (rightfully) go down.  if we want to be considered (in
terms of marketing/appearances) a highly secure CMS, we should
continue to *be* highly secure, not cater to people's incorrect
assumptions about what makes something secure.


More information about the development mailing list