[wp-hackers] Development Process

chradil at comcast.net chradil at comcast.net
Thu Jul 27 07:25:27 GMT 2006 

i've been having some kind of email issue, which is preventing me from sending/receiveing to the wp-lists today for some reason. at any rate, i was pretty disturbed to read the DrDave post and responses. Personally, I'm sure that it's simply an over-reaction, or a purposefull "dig" at wp for whatever reason, and likely relates to a known, existing trac ticket. 

in the unlikely event that there is in fact an issue of that magnitude that has for whatever reason not been disclosed/discussed and/or addressed by the community, that's a serious problem. it's also not fair to dump the entire issue in matt/ryan's lap either. 

I would propose that a better solution for dealing with these kinds of security issues (both in terms of public perception/marketing, and in terms of actually addressing them) is as follows - 

1) eliminate the security at wp email solution, and establish a wp-security mailing list. 
2) create a web based form for reporting of any security issues, PROMOTE the heck out of the link to the form everywhere. set the form up so that it sends the report directly (transparent to the users/reporter) to the wp-security list. 
3) subscribers to the security list would then as a community be able to assess or filter what's important from what's not, plus respond to each reporter of an issue, even if it's just a canned response like -- that's not really an issue, see wp codex/forums link ... ---
once the report is "filtered" the security list subscribers would then forward important/"real" issues to both/either matt/ryan and the trac folks to take a look at and address. 

this type of system would completely eliminate the kind of BS in the DrDave post, since any time a post like that pops up, the wp community would be able to respond in a meaningful way with either relevant information from the wp-security list/trac tickets or, completely shoot down the BS posts, based on a tangible and trackable record of how each issue has been addressed. there would then be no more room for anyone to say "we've been reporting these BIG security holes and no one is doing anything about them". 

i'd like to re-emphasize -- DrDave's post is counter productive. if it has merit, why don't we already know about it ? if it's BS, why don't we have a mechanism for pointing the public to the truth. 


...chris
 -------------- Original message ----------------------
From: "Robert Deaton" <false.hopes at gmail.com>
> Before this gets dismissed, this is not another "the funnel is too
> small, give someone else commit access" e-mails.
> 
> As you all might've seen, a lot of FUD has been going around lately,
> about a critical vulnerability. People are worried, some of the people
> like DrDave love to post it to their blogs and upset the world.
> Granted, I think this is the entirely wrong way to handle things, but
> as long as things keep going like they're going, I'm sure people will
> continue doing things like this.
> 
> Security e-mails appear to their reporters to be ignored. As I
> understand it in the past, a lot of crap gets sent through to
> security at wordpress.org, and obviously it must get rather frustrating
> and tiring for Matt and Ryan to have to read through these e-mails,
> possibly even leaving a legit threat in the stack of crap e-mails.
> (I'm trying to think of any way to explain something other than these
> mails are just ignored here, work with me). At any rate, something
> isn't working. Security patches aren't being reviewed and committed
> fast enough, and people like to make noise about it, a huge PR
> disaster.
> 
> So, basically, I think we need to come together and figure out the
> best course of action to ensure that things don't keep going astray
> like this. Perhaps a person or a team of trusted people to sort
> through the security e-mails, create a proper patch, and have some way
> to contact Matt and Ryan more quickly and reliably than one of these
> lists to get the information to them. Maybe there's another, better
> course of action I haven't thought of yet? Whatever is done, I hope
> that this isn't just another pointless flame-thread. Responses?
> 
> -- 
> --Robert Deaton
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list