[wp-hackers] Development Process

Peter Westwood peter.westwood at ftwr.co.uk
Thu Jul 27 16:40:10 GMT 2006 

On 27 Jul 2006, at 07:05, Robert Deaton wrote:
>
> As you all might've seen, a lot of FUD has been going around lately,
> about a critical vulnerability. People are worried, some of the people
> like DrDave love to post it to their blogs and upset the world.
> Granted, I think this is the entirely wrong way to handle things, but
> as long as things keep going like they're going, I'm sure people will
> continue doing things like this.

Agreed.
>
> Security e-mails appear to their reporters to be ignored. As I
> understand it in the past, a lot of crap gets sent through to
> security at wordpress.org, and obviously it must get rather frustrating
> and tiring for Matt and Ryan to have to read through these e-mails,
> possibly even leaving a legit threat in the stack of crap e-mails.
> (I'm trying to think of any way to explain something other than these
> mails are just ignored here, work with me). At any rate, something
> isn't working. Security patches aren't being reviewed and committed
> fast enough, and people like to make noise about it, a huge PR
> disaster.

Indeed, in this case we had the person reporting moaning on irc that  
he wan't getting a response and there was nothing anyone there could do.
The result of this end up being zedrdave's post which just created  
more uncertainty about the issue.

The only thing a responsible user can do is try and make sure that  
ryan/matt know about the issue by mentioning it on irc / via direct  
email even though they don't actually know what it is or anything  
about it necessarilly and this just creates extra work for ryan/matt  
who are probably in the process of evaluating and fixing the issue.

> So, basically, I think we need to come together and figure out the
> best course of action to ensure that things don't keep going astray
> like this. Perhaps a person or a team of trusted people to sort
> through the security e-mails, create a proper patch, and have some way
> to contact Matt and Ryan more quickly and reliably than one of these
> lists to get the information to them. Maybe there's another, better
> course of action I haven't thought of yet? Whatever is done, I hope
> that this isn't just another pointless flame-thread. Responses?

I think this would be a beneficial process.

I have personally in the past attempted to take this approach and  
analyse and work on a patch for any security issues which are made  
public (such as the recent issue with the on disk cache fixed in v2.0.3)

westi
-- 
http://blog.ftwr.co.uk

More information about the wp-hackers mailing list