[development] Certify Drupal for use in Government (US) Projects

Daniel F. Kudwien news at unleashedmind.com
Wed Oct 1 14:41:05 UTC 2008


> All what I have tried to explain that it does not mean that exploit 
> information has to be exposed.

This is what actually happens already: Security team receives a security
report, does deep analysis of the potential problem, and if the report turns
out to be valid, the security team aids the corresponding module maintainer
to fix the vulnerability. The exploit information is made public when a fix
for all users is available.

> "Analysis and risk rating ensure the quality of the disclosed 
> information. The analysis must include enough details to allow a 
> concerned user of the software to assess his individual risk or take 
> immediate action to protect his assets."

This, too, is what happens: All subscribers of the security announcements
newsletter receive a mail for each and every fixed vulnerability throughout
Drupal core AND contributed modules.

> If Drupal security team made a decision to follow another 
> path, its okay.
> But you should not judge another people in this matter so quick.
> Anyway, I have tried to be polite but since I have receive such a 
> suspicious in bad intentions and arrogant perception here (at 
> least that 
> is what I feel now), I think I will standout for now in my true 
> intentions to help and let you enjoy status of "overworked and 
> understaffed" security team.
> 
> Alex

Look, I do not belong to the security team either (albeit I considered to
join for helping out already).  However, I /feel/ very safe knowing that we
have top-notch contributors in this team, doing an excellent job on
reviewing and solving all security issues.  To be honest, I would not like
to see an arbitrary "Web Developer" (ex. "Drupal Developer") there either.
As a regular Drupal contributor and user, I know the contributions of /each/
security team member, which makes me believe that they are experts in all
Drupal areas - and friends I can trust.

I would recommend you to contribute more to Drupal, get some kudos for your
valuable contributions, and then ask again.

Thanks,
Daniel



More information about the development mailing list