[development] Think there's a security problem in your module? Here's what to do.

Derek Wright drupal at dwwright.net
Fri Jan 18 12:57:09 UTC 2008

On Jan 18, 2008, at 4:14 AM, Gerhard Killesreiter wrote:

> Maybe you shouldn't post that Grand Plan to a public mailing list  
> and make people expecting things.

It's an open source project.  Once in a while, people respond to my  
publicly available grand plans and offer to help.  Occasionally, they  
even follow through with those offers and actually do something  
productive.  After close to 2 years of struggling, I'm finally  
getting more people involved in working on project*, CVS,  
infrastructure, etc.

> We shouldn't just start to invest a great deal of time into  
> something because a single person refuses to understand security  
> concepts.

While we might disagree with some of their points, DragonWize and  
David Metzler (note: N>1) clearly understand security concepts.  They  
(and probably others) just question some aspects of our workflow that  
neither side can prove conclusively.  No offense, but the "just  
because a lone renegade refuses to understand why I'm clearly right"  
attitude is utterly unhelpful in this discussion, especially since  
(until now), everyone participating has been basically reasonable and  

That aside, the system proposed by webchick and elaborated by me  
would have a large number of improvements over the workflow we have  
now.  I predict it will save significant time and resources in the  
near future (no more manually creating project nodes on sec.d.o, much  
less frequently creating the issues themselves, less often drafting  
the SAs, easier time managing and testing patches, less time tracking  
communication with the module authors since we won't have to manually  
paste emails into issues on sec.d.o, automated QA testing of core  
security patches, etc), regardless of whether or not the people who  
have disagreed with certain aspects of our current workflow will be  
more happy with it.

> I fully agree that your proposal has merit and would improve the  
> workflow. But would the amount of time that needs to be poured into  
> justify the degree of improvement?

I think the benefits are huge, and the initial time that needs to be  
poured in is actually relatively small.  Most of the tools already  
exist, support what we need them to do, and are well understood.  It  
just depends on who volunteers to help to write some of the glue to  
tie it all together.

> You probably guess where I deem your time better spent...

a) Feel free to help raise money for what you'd rather I was working on.

b) Again, it seems you didn't read my message:

On Jan 18, 2008, at 1:08 AM, Derek Wright wrote:
> As always, webchick, I'd love to work with you on this.  I'd just  
> be thrilled to see some other hands show up.  You and I end up  
> working together on a lot of improvements to Drupal on our own (in  
> spite of our nearly constant efforts to try to get others involved)...


More information about the development mailing list