[wp-hackers] Development Process

Christopher J. Hradil chradil at comcast.net
Thu Jul 27 08:37:07 GMT 2006

the invitation only list is probably the best solution, this way there's
more than two folks able to filter/respond/act, I'd agree that making
"public" information of a serious problem would only put users at risk, but
having a larger number of trusted folks in the loop is a must in order to
help deal with these type issues more efficiently and quickly. 

>>I don't doubt that there is a huge issue, and no, perhaps its not fair to
dump it in Matt and Ryan's lap, but what option do we have to avoid it? We
>>>>can't do anything without Matt's blessing.

That's a problem for a couple of reasons. First, wp has become a pretty
large scale project, with an enormous user base, it simply isn't practical
for one or two individuals to be expected to handle or be responsible for
all of the things that need to be done at this stage. Second, at this point,
it's a community project, moving forward, more responsibility is going to
need to be handed off to the community. Right now, when things like this pop
up, matt's the one wearing the bull's-eye as far as the public is concerned.
It shouldn't be that way. The community needs to develop mechanisms for self
governance and community responsibility, and thus dealing with issues like
this. Whether issues like this one are genuine or not is almost irrelevant,
what's almost more important is that folks like DrDave and those type posts
are really taking a jab at matt personally, and looking for him to make a
response, or looking to blame him personally for issues like this, which
isn't fair to matt or to the community.

Look at something like apache, when someone throws stones in their
direction, the community puts a stake in the ground and makes a definitive
statement which completely removes personalities and egos from the picture.
When the "community" can react effectively to things like DrDave's post in
that manner, those types of posts will die out pretty quickly, and when they
do pop up they won't mean much. 


Christopher J. Hradil
chradil at comcast.net

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Robert Deaton
Sent: Thursday, July 27, 2006 3:38 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Development Process

On 7/27/06, chradil at comcast.net <chradil at comcast.net> wrote:
> i've been having some kind of email issue, which is preventing me from
sending/receiveing to the wp-lists today for some reason. at any rate, i was
pretty disturbed to read the DrDave post and responses. Personally, I'm sure
that it's simply an over-reaction, or a purposefull "dig" at wp for whatever
reason, and likely relates to a known, existing trac ticket.

I doubt its an existing trac ticket, someone would surely have picked up on
a security issue if it was in a trac ticket.

> in the unlikely event that there is in fact an issue of that magnitude
that has for whatever reason not been disclosed/discussed and/or addressed
by the community, that's a serious problem. it's also not fair to dump the
entire issue in matt/ryan's lap either.

I don't doubt that there is a huge issue, and no, perhaps its not fair to
dumb it in Matt and Ryan's lap, but what option do we have to avoid it? We
can't do anything without Matt's blessing.

> I would propose that a better solution for dealing with these kinds of 
> security issues (both in terms of public perception/marketing, and in 
> terms of actually addressing them) is as follows -
> 1) eliminate the security at wp email solution, and establish a wp-security
mailing list.
> 2) create a web based form for reporting of any security issues, PROMOTE
the heck out of the link to the form everywhere. set the form up so that it
sends the report directly (transparent to the users/reporter) to the
wp-security list.
> 3) subscribers to the security list would then as a community be able 
> to assess or filter what's important from what's not, plus respond to each
reporter of an issue, even if it's just a canned response like -- that's not
really an issue, see wp codex/forums link ... --- once the report is
"filtered" the security list subscribers would then forward important/"real"
issues to both/either matt/ryan and the trac folks to take a look at and

The issue with this is making the security vulnerabilities public via a
mailing list where anyone could subscribe allows malicious users to see the
same information, POCs, etc., that the good people see. Full disclosure may
work for other projects, but in WP's case where the commits and releases are
decided by two busy people and a release might not come for days, full
disclosure isn't an option, we simply can't leave hundreds of thousands of
users sitting at risk.

> this type of system would completely eliminate the kind of BS in the
DrDave post, since any time a post like that pops up, the wp community would
be able to respond in a meaningful way with either relevant information from
the wp-security list/trac tickets or, completely shoot down the BS posts,
based on a tangible and trackable record of how each issue has been
addressed. there would then be no more room for anyone to say "we've been
reporting these BIG security holes and no one is doing anything about them".

Simply having better feedback from the security e-mail would also elimiate
this, and so I don't think a full disclosure type list is the way to go. A
private, invitation only mailing list for proven members of the community
may be the way, however.

> i'd like to re-emphasize -- DrDave's post is counter productive. if it has
merit, why don't we already know about it ?

<em>We</em> don't do anything about it because we know nothing about it. Not
that this is a bad thing, the general public needs not to know. The issue is
that the developers aren't doing anything apparent or vocal enough about it.

> if it's BS, why don't we have a mechanism for pointing the public to the

Good question, as there has been false security advisories creating FUD in
the past. (ala
http://www.neosecurityteam.net/index.php?action=advisories&id=17 ), where we
went without an official response for days. Why? Who knows.

--Robert Deaton
wp-hackers mailing list
wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list