[wp-hackers] Development Process

[Robert Deaton]

On 7/27/06, chradil at comcast.net <chradil at comcast.net> wrote:
> i've been having some kind of email issue, which is preventing me from sending/receiveing to the wp-lists today for some reason. at any rate, i was pretty disturbed to read the DrDave post and responses. Personally, I'm sure that it's simply an over-reaction, or a purposefull "dig" at wp for whatever reason, and likely relates to a known, existing trac ticket.

I doubt its an existing trac ticket, someone would surely have picked
up on a security issue if it was in a trac ticket.

> in the unlikely event that there is in fact an issue of that magnitude that has for whatever reason not been disclosed/discussed and/or addressed by the community, that's a serious problem. it's also not fair to dump the entire issue in matt/ryan's lap either.

I don't doubt that there is a huge issue, and no, perhaps its not fair
to dumb it in Matt and Ryan's lap, but what option do we have to avoid
it? We can't do anything without Matt's blessing.

> I would propose that a better solution for dealing with these kinds of security issues (both in terms of public perception/marketing, and in terms of actually addressing them) is as follows -
>
> 1) eliminate the security at wp email solution, and establish a wp-security mailing list.
> 2) create a web based form for reporting of any security issues, PROMOTE the heck out of the link to the form everywhere. set the form up so that it sends the report directly (transparent to the users/reporter) to the wp-security list.
> 3) subscribers to the security list would then as a community be able to assess or filter what's important from what's not, plus respond to each reporter of an issue, even if it's just a canned response like -- that's not really an issue, see wp codex/forums link ... ---
> once the report is "filtered" the security list subscribers would then forward important/"real" issues to both/either matt/ryan and the trac folks to take a look at and address.

The issue with this is making the security vulnerabilities public via
a mailing list where anyone could subscribe allows malicious users to
see the same information, POCs, etc., that the good people see. Full
disclosure may work for other projects, but in WP's case where the
commits and releases are decided by two busy people and a release
might not come for days, full disclosure isn't an option, we simply
can't leave hundreds of thousands of users sitting at risk.

> this type of system would completely eliminate the kind of BS in the DrDave post, since any time a post like that pops up, the wp community would be able to respond in a meaningful way with either relevant information from the wp-security list/trac tickets or, completely shoot down the BS posts, based on a tangible and trackable record of how each issue has been addressed. there would then be no more room for anyone to say "we've been reporting these BIG security holes and no one is doing anything about them".

Simply having better feedback from the security e-mail would also
elimiate this, and so I don't think a full disclosure type list is the
way to go. A private, invitation only mailing list for proven members
of the community may be the way, however.

> i'd like to re-emphasize -- DrDave's post is counter productive. if it has merit, why don't we already know about it ?

<em>We</em> don't do anything about it because we know nothing about
it. Not that this is a bad thing, the general public needs not to
know. The issue is that the developers aren't doing anything apparent
or vocal enough about it.

> if it's BS, why don't we have a mechanism for pointing the public to the truth.

Good question, as there has been false security advisories creating
FUD in the past. (ala
http://www.neosecurityteam.net/index.php?action=advisories&id=17 ),
where we went without an official response for days. Why? Who knows.


-- 
--Robert Deaton