[development] Certify Drupal for use in Government (US) Projects

Web Developer lapurd at gmail.com
Wed Oct 1 10:37:09 UTC 2008


It is just sad that the only thing you see in my notes is intention to 
get this kind of information at soon as possible. But you are denning to 
see that I also can help you.
Do not you think that it is the one of the natural reason to join any 
kind of security team, and second reason to fix those problem?


Derek Wright wrote:
>
> On Oct 1, 2008, at 2:29 AM, Drupal Developer wrote:
>
>> Okay, what is procedure then in order to join security forces here?
>> If that is the only way to get information necessary to get the 
>> picture about latest security issues.
>
> Nat's email already told you this:
>
>
> On Oct 1, 2008, at 1:44 AM, Nathaniel Catchpole wrote:
>
>> Those who want to help fix new discoveries can offer to join the 
>> security team, I don't think 'would like to know what's going on' is 
>> sufficient though.
>
>
>
> As a member of the (overworked and understaffed) security team, I can 
> tell you right now that we'd reject your application on these 
> grounds.  And not because we're demonstrating a "corporate" thinking 
> process.  We're trying to protect the very openness of the developer 
> community you're trying to be so concerned with.  If you said "I'm 
> really interested in security and want to help fix vulnerabilities, 
> here are my skills I'm bringing to the table, references that prove 
> [sic] I'm not malicious, etc", we'd strongly consider it.  But, based 
> on the motivation you've already put forward in this thread -- "I 
> wanna be the first to know so I can try to protect my sites" -- is not 
> going to fly.
>
>
> On Oct 1, 2008, at 1:19 AM, Drupal Developer wrote:
>> All what I meant is all developers in the community would like to 
>> have at least a clue about what security issues are discovered.
>
> http://drupal.org/security
>
>> And deal with them on temporary basis on they own sites until final 
>> solution will be published.
>> I'm not talking about detail explanation of what and how reported 
>> security issue can harm Drupal site. But may be some clue in order to 
>> deal with it.
>
> Again, the only way to give a "clue in order to deal with it" is to 
> "give a clue how to exploit it".  I'm sure the hackers reading that 
> information will be much better suited to act on these clues than the 
> average site admins who aren't well versed in security exploits.
>
>> Or may be we need some special procedure to subscribe to such 
>> information.
>
> Any "special procedure to subscribe to such information" that scales 
> to a group of people larger than the security team can't possibly keep 
> the "bad" people out and only let in "good" people.  It's already a 
> risk we take letting new forces join the security team itself.  No way 
> could we have any reasonable hope of keeping the "initial clue about 
> possible vulnerabilities" list secure.  Malicious users *will* read 
> that information, and use it to harm Drupal sites.
>
>> But I'm sure that many of us would like to know what is going on with 
>> fresh security discoveries.
>
>
> Indeed, especially hackers. ;)  Drupal follows a long established 
> policy of "Responsible disclosure"[1] of discovered vulnerabilities.  
> Nothing about this contradicts the GPL or the openness of the Drupal 
> community in general.  In fact, if we did what you suggest, I'm sure 
> far fewer people would be using Drupal (rightfully so).
>
> Cheers,
> -Derek (dww)
>
> [1] http://www.sans.org/reading_room/whitepapers/threats/932.php
>
>
>


More information about the development mailing list