[development] Re: [support] Drupal 4.6.6/4.5.8 security releases
gerhard at killesreiter.de
Tue Mar 14 21:35:44 UTC 2006
Boris Mann wrote:
> On 14-Mar-06, at 12:12 AM, Dries Buytaert wrote:
>>>> Thanks for the appreciation of our hard work and your discreet
>>>> letter to them security team that the sending security newsletters
>>>> were forgotten. They were written just waited for sending.
>>> Karoly: this is still a valid point. The security advisories *must*
>>> go out first, privately, before the public announcement.
>> No. While some people think it is preferred to send the e-mail
>> announcements first, it is still pretty much irrelevant in the larger
>> scheme of things.
> Sure, it's irrelevant. It's also indicative of attitude, which the
> community increasingly gets accused of.
This isn't new and I still don't give a damn. The increase of insults
isn't higher than the increase in # of users, I think.
>> First, there are NO private security announcements; both the
>> announcement on drupal.org AND the security announcement mailing list
>> are PUBLIC. Script kiddies can subscribe to the e-mail notifications
>> as well. Chances are that they receive their e-mail notifications
>> before you do. The mailing list is a publicly accessible notification
>> mechanism, not an exclusive service.
> My point being that a gap between the send out and web-based posting
> gives, at least, the appearance of a "heads up". And appearances are
If you want to have a professional appearance you will need to find the
funds to pay people (or somehow coax them otherwise).
> Yep, it's hard to send out a lot of email. Yep, great job everyone in
> getting security issues out. We're in this together, my post was an
> offer of help.
Well, seems we are getting somewhere, then. Write to the sec list and
explain how you can help.
More information about the development