[infrastructure] Re: [development] Drupal 4.5 unsupported

Dries Buytaert dries.buytaert at gmail.com
Sun May 28 08:14:21 UTC 2006

On 27 May 2006, at 22:52, Steven Peck wrote:
> In my view, given the pain and suffering people who did not and do not
> upgrade due to security issue's, it is ir-responsible to make such
> vulnerable releases easily available.  It does an incredible  
> disservice
> to both the people still running insecure sites and the Drupal  
> community
> at large.  If I recall, part of the reason for this decision  
> originally
> was such a public exploit.  Spreadfirefox was running an old unpatched
> codebase.  We had to deal with the fallout from that for several  
> months
> and we had provided many notices to many people.  This is the worst
> posible publicity.

I think your mixing two things up:

  1. Keeping insecure code available.
  2. People not upgrading.

It's pretty obvious that 1 and 2 are not related one to another.

Would SFX have upgraded when we deleted the old tarballs?  Not likely.

Did anyone accuse us from keeping insecure code around when SFX got  
hacked?  Not a single person.

The same is true for your company's story.  A virus hit you guys  
pretty hard.  Your company screwed up, not the anti-virus software  

Would you have upgraded your software if the anti-virus software  
vendor deleted the old tarballs?  Not likely.

Did you sue the anti-virus software vendor for not deleting outdated  
versions of their software?  Not likely.

Dries Buytaert  ::  http://www.buytaert.net/

More information about the development mailing list