[development] Certify Drupal for use in Government (US) Projects

Derek Wright drupal at dwwright.net
Wed Oct 1 10:21:45 UTC 2008

On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:

> Okay, what is procedure then in order to join security forces here?
> If that is the only way to get information necessary to get the  
> picture about latest security issues.

Nat's email already told you this:

On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:

> Those who want to help fix new discoveries can offer to join the  
> security team, I don't think 'would like to know what's going on'  
> is sufficient though.

As a member of the (overworked and understaffed) security team, I can  
tell you right now that we'd reject your application on these  
grounds.  And not because we're demonstrating a "corporate" thinking  
process.  We're trying to protect the very openness of the developer  
community you're trying to be so concerned with.  If you said "I'm  
really interested in security and want to help fix vulnerabilities,  
here are my skills I'm bringing to the table, references that prove  
[sic] I'm not malicious, etc", we'd strongly consider it.  But, based  
on the motivation you've already put forward in this thread -- "I  
wanna be the first to know so I can try to protect my sites" -- is  
not going to fly.

On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
> All what I meant is all developers in the community would like to  
> have at least a clue about what security issues are discovered.


> And deal with them on temporary basis on they own sites until final  
> solution will be published.
> I'm not talking about detail explanation of what and how reported  
> security issue can harm Drupal site. But may be some clue in order  
> to deal with it.

Again, the only way to give a "clue in order to deal with it" is to  
"give a clue how to exploit it".  I'm sure the hackers reading that  
information will be much better suited to act on these clues than the  
average site admins who aren't well versed in security exploits.

> Or may be we need some special procedure to subscribe to such  
> information.

Any "special procedure to subscribe to such information" that scales  
to a group of people larger than the security team can't possibly  
keep the "bad" people out and only let in "good" people.  It's  
already a risk we take letting new forces join the security team  
itself.  No way could we have any reasonable hope of keeping the  
"initial clue about possible vulnerabilities" list secure.  Malicious  
users *will* read that information, and use it to harm Drupal sites.

> But I'm sure that many of us would like to know what is going on  
> with fresh security discoveries.

Indeed, especially hackers. ;)  Drupal follows a long established  
policy of "Responsible disclosure"[1] of discovered vulnerabilities.   
Nothing about this contradicts the GPL or the openness of the Drupal  
community in general.  In fact, if we did what you suggest, I'm sure  
far fewer people would be using Drupal (rightfully so).

-Derek (dww)

[1] http://www.sans.org/reading_room/whitepapers/threats/932.php

More information about the development mailing list