[development] Certify Drupal for use in Government (US) Projects
Derek Wright
drupal at dwwright.net
Wed Oct 1 10:21:45 UTC 2008
On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:
> Okay, what is procedure then in order to join security forces here?
> If that is the only way to get information necessary to get the
> picture about latest security issues.
Nat's email already told you this:
On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:
> Those who want to help fix new discoveries can offer to join the
> security team, I don't think 'would like to know what's going on'
> is sufficient though.
As a member of the (overworked and understaffed) security team, I can
tell you right now that we'd reject your application on these
grounds. And not because we're demonstrating a "corporate" thinking
process. We're trying to protect the very openness of the developer
community you're trying to be so concerned with. If you said "I'm
really interested in security and want to help fix vulnerabilities,
here are my skills I'm bringing to the table, references that prove
[sic] I'm not malicious, etc", we'd strongly consider it. But, based
on the motivation you've already put forward in this thread -- "I
wanna be the first to know so I can try to protect my sites" -- is
not going to fly.
On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
> All what I meant is all developers in the community would like to
> have at least a clue about what security issues are discovered.
http://drupal.org/security
> And deal with them on temporary basis on they own sites until final
> solution will be published.
> I'm not talking about detail explanation of what and how reported
> security issue can harm Drupal site. But may be some clue in order
> to deal with it.
Again, the only way to give a "clue in order to deal with it" is to
"give a clue how to exploit it". I'm sure the hackers reading that
information will be much better suited to act on these clues than the
average site admins who aren't well versed in security exploits.
> Or may be we need some special procedure to subscribe to such
> information.
Any "special procedure to subscribe to such information" that scales
to a group of people larger than the security team can't possibly
keep the "bad" people out and only let in "good" people. It's
already a risk we take letting new forces join the security team
itself. No way could we have any reasonable hope of keeping the
"initial clue about possible vulnerabilities" list secure. Malicious
users *will* read that information, and use it to harm Drupal sites.
> But I'm sure that many of us would like to know what is going on
> with fresh security discoveries.
Indeed, especially hackers. ;) Drupal follows a long established
policy of "Responsible disclosure"[1] of discovered vulnerabilities.
Nothing about this contradicts the GPL or the openness of the Drupal
community in general. In fact, if we did what you suggest, I'm sure
far fewer people would be using Drupal (rightfully so).
Cheers,
-Derek (dww)
[1] http://www.sans.org/reading_room/whitepapers/threats/932.php
More information about the development
mailing list