[development] Certify Drupal for use in Government (US) Projects

matt at mattfarina.com matt at mattfarina.com
Wed Oct 1 14:31:15 UTC 2008 

If you really feel this is the better way to go I'd suggest a change  
of strategy. The current process is not only popular but works well  
and is useful. If there is going to be a change from it to something  
else there needs to be a an obvious benefit that works with the  
cost/time/resources needed to do such a thing.

Put together a proposed change from the current setup, preform a cost  
benefit analysis on that, and then try to sell the people who can  
affect a change on this in the drupal community. In trying to sell  
them show them the personal benefit to them and the community over the  
current process. (You aren't doing this now and seem to be alienating  
the very people you need to sell this to.)

If you don't think you can sell them or this seems like too much work  
I'd suggest saving face and backing down on this issue. Otherwise a  
bunch of us have to read emails (or spend time deleting them) in what  
is turning into an unproductive conversation.

Quoting Web Developer <lapurd at gmail.com>:

> Is it everybody here so quick to see another person logic flaw, where
> in fact you just have to think a little further?
>
> I did not suggest that you have to give such detail description that
> will expose exploit right away.
> But I'm sure in most cases experienced developer/tester can come up
> with explanatory description without exposing too much.
> I agree that some problem could be so obvious so any explanation will
> expose exploit info. Okay, but it is only one case.
> There are many problems that are not so obvious.
>
> Alex
>
>
> Patrick Teglia wrote:
>> it does not mean that exploit information has to be exposed. But detail
>> description of the problem can help on its own even before solution come
>> out.
>>
>> I am sorry, but even a guy with a Security+ certification (in other words,
>> me :) ) can see the flawed logic in this statement.  A detailed description
>> of the problem is a description of the vulnerability that attackers would
>> EXACTLY be looking for.
>>
>> Patrick Teglia
>>
>>
>> On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd at gmail.com> wrote:
>>
>>
>>> it does not mean that exploit information has to be exposed. But detail
>>> description of the problem can help on its own even before solution come
>>> out.
>>>
>>
>>

More information about the development mailing list