[development] Slight API change in 4.6.10 and 4.7.4
drupal at dwwright.net
Fri Oct 20 17:11:17 UTC 2006
On Oct 20, 2006, at 8:02 AM, inkfree press wrote:
> I don't know about "active role", but I do know about "passive
> role", which
> I addressed by subscribing to that list.
you're slightly confused on the 2 lists people are talking about:
1) the security announcement newsletter. this is a broadcast-only
list for all security announcements. all 90K+ users of drupal.org
should be subscribed to this, if they know what's good for them. no
discussion, low traffic, just the security alerts.
2) the "security at drupal.org" list. this is a closed list, that only
the security team is subscribed to. however, anyone can post to it.
this is where end users and contrib maintainers who discover or
suspect a security issue can post it without it immediately being
publicly disclosed to the world. it gives the people who know a
chance to verify the hole, assess the threat, coordinate a response,
and, where necessary, create a new set of releases. the security
team uses this list amongst themselves to discuss things, along with
the invite-only #drupal-security room on IRC.
so, subscribing to the announcement newsletter isn't a "passive role"
on the security team, it's the bare minimum for any sane site admin
with a pulse. ;) what dries was talking about is that interested
parties should send an email to security at drupal.org introducing
yourself and explaining what kind of help you're prepared to give,
and see what happens.
hope that helps clarify.
i, personally, am thrilled by the security team, their efforts, and
the policies for security that drupal has adopted. i've suggested
similar infrastructure and policy for other open source projects i'm
involved in, now that i've seen the light. ;) as killes pointed out,
drupal.org provides better security for users of their software than
just about anything you can find anywhere, giant for-profit companies
included. 10 cheers for heine and everyone else. that said, i think
everyone is open to improvements, and i agree with the basic
suggestions people are making. even though what we have is great,
the Drupal Way(tm) is to keep making things better... ;)
p.s. for the record, i sent exactly such an introduction email to the
security team about 1/2 year ago, and basically have never been
contacted by them for anything. perhaps in the transition from chx -
> heine, my offer was lost in the cracks. i have discovered
security holes in project.module and made releases and sec.
announcements for them back in april (when i first offered to be a
more active member of the sec. team), but otherwise, i haven't had
any direct interaction with the security team. if y'all are feeling
understaffed and overworked, perhaps you could make better use of the
people like myself who've already volunteered to help. maybe we need
a security-volunteers at drupal.org list for this 2nd tier of
developers: not the official team, but the (if i may say so) clueful
people who want to help, and can be called upon to discuss patches,
assess problems in contrib caused by new versions of core, whatever.
just a thought.
More information about the development