[development] Slight API change in 4.6.10 and 4.7.4

Derek Wright drupal at dwwright.net
Fri Oct 20 17:11:17 UTC 2006

On Oct 20, 2006, at 8:02 AM, inkfree press wrote:

> I don't know about "active role", but I do know about "passive  
> role", which
> I addressed by subscribing to that list.

you're slightly confused on the 2 lists people are talking about:

1) the security announcement newsletter.  this is a broadcast-only  
list for all security announcements.  all 90K+ users of drupal.org  
should be subscribed to this, if they know what's good for them.  no  
discussion, low traffic, just the security alerts.

2) the "security at drupal.org" list.  this is a closed list, that only  
the security team is subscribed to. however, anyone can post to it.   
this is where end users and contrib maintainers who discover or  
suspect a security issue can post it without it immediately being  
publicly disclosed to the world.  it gives the people who know a  
chance to verify the hole, assess the threat, coordinate a response,  
and, where necessary, create a new set of releases.  the security  
team uses this list amongst themselves to discuss things, along with  
the invite-only #drupal-security room on IRC.

so, subscribing to the announcement newsletter isn't a "passive role"  
on the security team, it's the bare minimum for any sane site admin  
with a pulse. ;)  what dries was talking about is that interested  
parties should send an email to security at drupal.org introducing  
yourself and explaining what kind of help you're prepared to give,  
and see what happens.

hope that helps clarify.

i, personally, am thrilled by the security team, their efforts, and  
the policies for security that drupal has adopted.  i've suggested  
similar infrastructure and policy for other open source projects i'm  
involved in, now that i've seen the light. ;) as killes pointed out,  
drupal.org provides better security for users of their software than  
just about anything you can find anywhere, giant for-profit companies  
included.  10 cheers for heine and everyone else.  that said, i think  
everyone is open to improvements, and i agree with the basic  
suggestions people are making.  even though what we have is great,  
the Drupal Way(tm) is to keep making things better... ;)


p.s. for the record, i sent exactly such an introduction email to the  
security team about 1/2 year ago, and basically have never been  
contacted by them for anything.  perhaps in the transition from chx - 
 > heine, my offer was lost in the cracks.  i have discovered  
security holes in project.module and made releases and sec.  
announcements for them back in april (when i first offered to be a  
more active member of the sec. team), but otherwise, i haven't had  
any direct interaction with the security team.  if y'all are feeling  
understaffed and overworked, perhaps you could make better use of the  
people like myself who've already volunteered to help.  maybe we need  
a security-volunteers at drupal.org list for this 2nd tier of  
developers: not the official team, but the (if i may say so) clueful  
people who want to help, and can be called upon to discuss patches,  
assess problems in contrib caused by new versions of core, whatever.   
just a thought.

More information about the development mailing list