[development] Here is how you can get 4.5 security patches

Steven Peck speck at blkmtn.org
Sun May 28 05:38:52 UTC 2006

Folks, we are not making a point.  It is bad.  Very very bad to keep
insecure stuff out there.  It is very bad from the site admins and their
data's security and site viability.  I do not want people suffering the
shock of the loss of their site because they relied on unsecure stuff.

Did no one read my not a developer point of hard earned experience?  Has
no one wanted to take me up on my offer!?

I OFFERED a solution.  Instead people want to discuss personalities and
wortdings of individuals.

Please comment directly to MY points in my post!  Do not ignore them
because they disagree with yours and those experiences are those of a
NON developer.

For what it's worth.

I have walked 9 people in the last year through getting older versions
of Drupal from CVS on #drupal-support.  3 from Drupal 4.3, 1 from Drupal
4.2 and the rest Drupal 4.4 code base.  It took approx 20 minutes on
average per person.


> -----Original Message-----
> From: development-bounces at drupal.org 
> [mailto:development-bounces at drupal.org] On Behalf Of Larry Garfield
> Sent: Saturday, May 27, 2006 8:29 PM
> To: development at drupal.org
> Subject: Re: [development] Here is how you can get 4.5 
> security patches
> I am not demanding that you support 4.5 forever.  I don't 
> think I've ever 
> demanded anything on this list, although I will sometimes suggest 
> forcefully. :-)  4.5 itself is actually quite useless to me, 
> as I first 
> started using Drupal in the early 4.6 days and have never had 
> a running 4.5 
> install.  
> I don't expect Drupal to provide support or patches for 
> too-old releases.  
> That wouldn't make sense.  At the same time, though, the 
> revisionist history 
> of expunging them from the web site is just as bad.  Lisa 
> pointed out some 
> practical cases where someone may still need access to an 
> older version.  If 
> they're already there on the site, don't remove them.  Flag 
> them as "legacy, 
> unmaintained, and insecure.  Don't use or you're dumb" instead.  
> I'm referring mostly to older modules.  If someone already 
> has a 4.5 site 
> running, and want to add a 4.5 module to it that used to be 
> available, why 
> make it harder for him to get it now?  Just to make a point?
> The other key point I am making is that "you can get it from 
> CVS" is, for 98% 
> of the computer using world, exactly synonymous with "no, we 
> won't let you 
> have it, ha ha!"  While almost anyone on this list either 
> knows how to check 
> out an older branch from CVS or can figure it out from the 
> web site fairly 
> easily, the same cannot necessarily be said for the majority 
> of people 
> running those 60,000 Drupal sites (or whatever the current 
> number is).  
> Saying "you can get it from CVS" to someone means saying 
> "you're not 1337 
> enough".  That's something you really don't want to say.
> On Saturday 27 May 2006 14:07, Karoly Negyesi wrote:
> > Hi,
> >
> > I am shocked by the demands to support 4.5. Do not forget 
> that you are not
> > paying Drupal developers to do anything. You are not my 
> boss. Nor anyone
> > else's. On what base do you demand? On the amount of 
> contribution you made
> > to Drupal over time? I have yet to see any such contributor 
> (note: I said
> > contributor, not coder.) who demands this.
> >
> > Therefore, the solution is very simple: if you are running 
> 4.5 and do not
> > want to update, find others in the same situation and hire 
> an able coder
> > who will provide the security patches for you. We will 
> consider adding
> > said person to the security team and some guidance will be 
> providded, but
> > please do not expect too much from our side.
> >
> > Case closed.
> >
> > Kind regards,
> >
> > Karoly Negyesi
> >
> > Ps. While I sometimes work for money, do not consider me. 
> The less 4.5
> > code I need to touch, the better for me. Money won't change this.
> -- 
> Larry Garfield			AIM: LOLG42
> larry at garfieldtech.com		ICQ: 6817012
> "If nature has made any one thing less susceptible than all others of 
> exclusive property, it is the action of the thinking power 
> called an idea, 
> which an individual may exclusively possess as long as he keeps it to 
> himself; but the moment it is divulged, it forces itself into 
> the possession 
> of every one, and the receiver cannot dispossess himself of 
> it."  -- Thomas 
> Jefferson

More information about the development mailing list