[development] Security Updates

Matt Chapman matt at ninjitsuweb.com
Fri Aug 6 18:24:51 UTC 2010

It's irresponsible NOT to have an SA issued for security updates.
Everybody makes mistakes there's no reason to be embarrassed for that.
You should be embarrassed for leaving your users vulnerable by not
informing them of the situation. IMO, you'll win more respect by
correcting those mistakes promptly when you realize them, and going
the extra mile to inform your users.

Put another way, wouldn't you rather be the one to report your own
issue than to have someone else report it?

I can assure you that the Drupal Security team is a bunch of nice
people who are eager to help. We won't bite your head off. :-)

All the Best,

Matt Chapman
"Occasional Maker of Mistakes and Recently Recruited Member of the
Drupal Security Team"

On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich at bellsouth.net> wrote:
> I've noticed that more and more security advisories are reported by module
> maintainers. In the past, if I noticed a security problem, I would fix it
> and commit the change without saying anything. It was sort of embarrassing
> to me to have an SA filed. However, that didn't mean that users would pick
> up the fixed version.
> Are maintainers now flagging their own issues as a way to "force" people to
> update to the newest code?
> Nancy

More information about the development mailing list