[development] Security Updates

Senpai senpai_san at mac.com
Fri Aug 6 23:06:01 UTC 2010


I'd also like to point out, Nancy, that oftentimes a site will run for 6 months to a year or even longer without updating a module as long as that module is a stable release and does not have any security releases. I've personally seen webmasters make the conscious decision to leave a module (and even core) alone rather than test the improved, updated release to make sure it still works the way their current one does. It's the old adage "PHP doesn't wear out". ;)

I encourage everyone to report any potential security flaw they find in released open source code. In this manner, and as you've described below, we will all help to make FOSS safer and more enjoyable. Yay! :)
-- 
Joel Farris
"An intellectual snob is someone who can listen to the William Tell Overture and not think of The Lone Ranger."
~ Dan Rather


> On Aug 6, 2010, at 11:49 AM, nan wich wrote:
> 
> I wouldn't get interested if it was on the dev branch. This is on the official release, so I guess I'll write it up and send it in.
>  
> Nancy
> Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
> 
> 
>> From: Kieran Lal <kieran at acquia.com>
>> To: development <development at drupal.org>
>> Sent: Fri, August 6, 2010 2:35:12 PM
>> Subject: Re: [development] Security Updates
>> 
>> Hi, one caveat.
>> 
>> The Drupal security team only release security announcements and releases for certain types of releases.  See 
>> Which Releases Get Security Advisory? in http://drupal.org/security-advisory-policy
>> 
>> So if you are in your development branch and you find a security issue you just introduced, just go ahead and fix it yourself with a security tag.  If you discover a vulnerability that's in a release type that is covered report it to the security team.
>> 
>> If anyone else on the security team wants to clarify further go ahead.
>> 
>> Cheers,
>> Kieran
>> 
>> 
>>> On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich at bellsouth.net> wrote:
>>> I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
>>>  
>>> Nancy


More information about the development mailing list