[development] Certify Drupal for use in Government (US) Projects

Derek Wright drupal at dwwright.net
Wed Oct 1 11:00:39 UTC 2008

On Oct 1, 2008, at 3:37 AM, Web Developer wrote:

> It is just sad that the only thing you see in my notes is intention  
> to get this kind of information at soon as possible.

It is just sad that you're not paying attention to what we're  
saying.  Another reason you probably wouldn't be a good fit for the  
security team. ;)

I explicitly wrote:

>> If you said "I'm really interested in security and want to help  
>> fix vulnerabilities, here are my skills I'm bringing to the table,  
>> references that prove [sic] I'm not malicious, etc", we'd strongly  
>> consider it.

You *never* said *anything* like that in this entire thread.  All  
you've said can be summarized with these 3 quotes:

1) "I thought that Drupal is an open community of open source  
developers working under GPL license.
Does it mean that ALL issues have to be openly reported to all  
community for everybody to review?
Don't you all think that handling security issues behind closed doors  
until a fix and advisory will be sent out is sound more like  
corporate way of thinking on a way to develop something proprietary?"

2) "All what I meant is all developers in the community would like to  
have at least a clue about what security issues are discovered. And  
deal with them on temporary basis on they own sites until final  
solution will be published."

3) "Okay, what is procedure then in order to join security forces  
here? If that is the only way to get information necessary to get the  
picture about latest security issues."

Many of us have tried to point out the weaknesses in the logic of #1  
and #2, and tried to explain why #3 is not a sufficient reason to  
join the security team.  You've just kept coming back saying that the  
security team is closed (true), corporate (false), and that no one is  
reading between the lines of your messages that what you *really*  
mean is "I'd love to help fix vulnerabilities because I'm a security  
expert and I have an established track record of closing exploits  
through careful audits, thorough testing, and responsible  
disclosure."  Please.

I'm glad you raised your concern (we are an open development  
community, and discussing concerns like this is part of that), but  
the overwhelming response has been: "NO, that'd be crazy, we prefer a  
closed security team and responsible disclosure".  It's ok to be  
outvoted, just be honest and graceful about it and no one will think  
poorly of you...

-Derek (dww)

More information about the development mailing list