[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Fri Jan 18 12:57:09 UTC 2008
On Jan 18, 2008, at 4:14 AM, Gerhard Killesreiter wrote:
> Maybe you shouldn't post that Grand Plan to a public mailing list
> and make people expecting things.
It's an open source project. Once in a while, people respond to my
publicly available grand plans and offer to help. Occasionally, they
even follow through with those offers and actually do something
productive. After close to 2 years of struggling, I'm finally
getting more people involved in working on project*, CVS,
infrastructure, etc.
> We shouldn't just start to invest a great deal of time into
> something because a single person refuses to understand security
> concepts.
While we might disagree with some of their points, DragonWize and
David Metzler (note: N>1) clearly understand security concepts. They
(and probably others) just question some aspects of our workflow that
neither side can prove conclusively. No offense, but the "just
because a lone renegade refuses to understand why I'm clearly right"
attitude is utterly unhelpful in this discussion, especially since
(until now), everyone participating has been basically reasonable and
respectful.
That aside, the system proposed by webchick and elaborated by me
would have a large number of improvements over the workflow we have
now. I predict it will save significant time and resources in the
near future (no more manually creating project nodes on sec.d.o, much
less frequently creating the issues themselves, less often drafting
the SAs, easier time managing and testing patches, less time tracking
communication with the module authors since we won't have to manually
paste emails into issues on sec.d.o, automated QA testing of core
security patches, etc), regardless of whether or not the people who
have disagreed with certain aspects of our current workflow will be
more happy with it.
> I fully agree that your proposal has merit and would improve the
> workflow. But would the amount of time that needs to be poured into
> justify the degree of improvement?
I think the benefits are huge, and the initial time that needs to be
poured in is actually relatively small. Most of the tools already
exist, support what we need them to do, and are well understood. It
just depends on who volunteers to help to write some of the glue to
tie it all together.
> You probably guess where I deem your time better spent...
a) Feel free to help raise money for what you'd rather I was working on.
b) Again, it seems you didn't read my message:
On Jan 18, 2008, at 1:08 AM, Derek Wright wrote:
> As always, webchick, I'd love to work with you on this. I'd just
> be thrilled to see some other hands show up. You and I end up
> working together on a lot of improvements to Drupal on our own (in
> spite of our nearly constant efforts to try to get others involved)...
Cheers,
-Derek
More information about the development
mailing list