[development] Think there's a security problem in your module? Here's what to do.

Gerhard Killesreiter gerhard at killesreiter.de
Fri Jan 18 12:14:23 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek Wright schrieb:

> On Jan 18, 2008, at 3:37 AM, Gerhard Killesreiter wrote:
> 
>> Yeah, I am quite overwhelmed too. I think this is cannons on sparrows.
> 
> 
> *sigh*  I guess neither of you actually read what I wrote.  Lemme quote
> the part you seem to have skimmed, and I'll add emphasis for clarity:
> 
> On Jan 18, 2008, at 1:08 AM, Derek Wright wrote:
>> IF we wanted to get REALLY CRAZY, we COULD START to EXPERIMENT with
>> distributed revision control ... to help manage private repos for
>> _SOME_ of the projects on SEC.d.o.
> ...
> 
> 
>> Could work great ... but that would depend at the very least on people
>> helping to complete the to-do list here:
>>
>> http://groups.drupal.org/node/8102
>>
>> and then implementing other versioncontrol API backend modules for
>> whatever tool(s) they wanted to be able to use for this.
> 
> This could certainly take 3 years or so, depending on who has this itch
> and is willing/able to scratch it.
> 
> Forget I even mentioned this.  It was an off-the-cuff comment about
> "someday how it could all work".  If you haven't learned by now, I tend
> to get big dreams, write them all up into the Grand Plan, then figure
> out what's realistic, and start finding a way to make it happen, at
> least the parts of the Grand Plan I personally care about.

Maybe you shouldn't post that Grand Plan to a public mailing list and
make people expecting things. This will just make the current situation
look much worse to them than it really is.

> This
> particular detail of how I've been fleshing in webchick's proposal is at
> the very bottom of the list of things I care about, so don't expect me
> to work on it anytime soon, if ever.  CVS + rsync + patches in the
> private issue queues are all I care about for now.

I am also referring to this as "cannons on sparrows".

We shouldn't just start to invest a great deal of time into something
because a single person refuses to understand security concepts.

I fully agree that your proposal has merit and would improve the
workflow. But would the amount of time that needs to be poured into
justify the degree of improvement?

You probably guess where I deem your time better spent...

> It's so reassuring to know that people will always focus on the least
> important aspects of what I write and bend them all out of shape and
> proportion. ;)

That's why mailing lists are mailing lists...

Cheers,
	Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHkJgffg6TFvELooQRAseaAJ9DSXypt0zpSsyrxF6DU09v8LUYFACgr6qJ
oY3bGz2lIFNn2piB9+BfFOQ=
=4HaR
-----END PGP SIGNATURE-----

More information about the development mailing list