[development] Re: [support] Drupal 4.6.6/4.5.8 security releases

[Gerhard Killesreiter]

Boris Mann wrote:

>
> On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
>
>>>> Thanks for the appreciation of our hard work and your discreet 
>>>> letter to them security team that the sending security newsletters 
>>>> were forgotten. They were written just waited for sending.
>>>
>>>
>>> Karoly: this is still a valid point. The security advisories *must* 
>>> go out first, privately, before the public announcement.
>>
>>
>> No. While some people think it is preferred to send the e-mail 
>> announcements first, it is still pretty much irrelevant in the larger 
>> scheme of things.
>
>
> Sure, it's irrelevant. It's also indicative of attitude, which the 
> community increasingly gets accused of.


This isn't new and I still don't give a damn. The increase of insults 
isn't higher than the increase in # of users, I think.

>> First, there are NO private security announcements; both the 
>> announcement on drupal.org AND the security announcement mailing list 
>> are PUBLIC. Script kiddies can subscribe to the e-mail notifications 
>> as well. Chances are that they receive their e-mail notifications 
>> before you do. The mailing list is a publicly accessible notification 
>> mechanism, not an exclusive service.
>
>
> My point being that a gap between the send out and web-based posting 
> gives, at least, the appearance of a "heads up". And appearances are 
> important.


If you want to have a professional appearance you will need to find the 
funds to pay people (or somehow coax them otherwise).

> Yep, it's hard to send out a lot of email. Yep, great job everyone in 
> getting security issues out. We're in this together, my post was an 
> offer of help.


Well, seems we are getting somewhere, then. Write to the sec list and 
explain how you can help.

Cheers,
Gerhard