[development] Certify Drupal for use in Government (US) Projects

Michael Prasuhn mike at mikeyp.net
Wed Oct 1 08:06:04 UTC 2008


It's on the top of every "Submit Issue" page on drupal.org.

Any code that is in an official release of Drupal is 100% open.  
Nothing in the GPL prevents the bug fixes *prior* to release from  
being performed in a non-public manner.


On Oct 1, 2008, at 12:40 AM, Drupal Developer wrote:

> Wow, I would like everybody to notice something right here.
> In the message I reply to, Matt Farina said:
> "The security team handles things in a tight way. When something is  
> reported it's not opened up to the world. If the issue is valid it's  
> handled behind closed doors until a fix and advisory is sent out." / 
> end of citation/
> I thought that Drupal is an open community of open source developers  
> working under GPL license.
> Does it mean that ALL issues have to be openly reported to all  
> community for everybody to review?
> Don't you all think that handling security issues behind closed  
> doors until a fix and advisory will be sent out is sound  more like  
> corporate way of thinking on a way to develop something proprietary?
> I'm very concern about that and invite everybody to collaborate on  
> this one.
> Does Matt represent a real situation at this matter in Drupal  
> development community?
> If not, then I'm sure that many people would like to know exactly  
> what the process is for handling security issues from the moment  
> they have been reported?

Michael Prasuhn
mike at mikeyp.net

More information about the development mailing list