This is to announce the formal creation of a Security Team for Drupal that will be lead by Karoly Negyesi (chx). Karoly has been actively contributing code, support and documentation on Drupal for the last one and a half year and has been a strong proponent for setting up a formal security team.
As many of you know, we have been working on building out and extending the infrastruture of Drupal.org to handle additional things that will help our community grow. To that end, I setup a security announcement newsletter, a history of all security advisories (empty for now, we have yet to migrate the old advisories), and an RSS feed with the most recent security advisories.
If you setup or adminsiter Drupal sites, we strongly advise you to sign up for the list. To subscribe to the security announcement mailing list, visit the security page or check the newsletter settings under my account >> edit >> my newsletters.
The goals of the security team are to review reported security issues, and to act upon them. In addition, the security team will provide a platform that allows security advisories to be communicated to the Drupal community.
More information about the security team is available in the handbook at http://drupal.org/node/32750.
Comments
This shows the
This shows the unprofestionality of the open source world... no security team in such a huge project till now. Good to see one just started as I joined the comunity.
What are you talking about?
What are you talking about? There has been a security team for a while now, Dries has been running it. Now Dries has formalized the responsibilities to another person.
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Thats exactly what I meant..
Thats exactly what I meant.. it unpro. for it to only happen now...
cya
Dear Hosting Geek
You've been a member of the Drupal Community for 5 weeks now.
Be a little patient and let us all know what's on your mind when you're ready for it.
I can assure you that I've been more satisfied with the security handling efforts by the Drupal community than by most smaller commercial companies that I've worked with for the past many years.
Formalizing security matters is important, but not all.
Best
Gunnar Langemark
http://www.langemark.com
My point - Give the founder his respsect.
I got some time right now just before I go to sleep:
What I am talking about, its very unprofessional and very straining on a founder of a project to be doing so many job by him self and such job as security would be better handled by someone with a clear head (basically someone that spends 2-3hrs a day just to think)...
Example: do you see Bill Gates handling security in Microsoft? No because Microsoft is a big company and the founder is busy doing other things and is to busy to have a clear head for security (but with the state of windows' security I wouldn't be shocked if it is all handled by Bill himself)...
My point is drupal is a big project and his been for quiet awhile, and this means there are more than enough thing FOR THE FOUNDER and the first thing we should be doing is make sure the founder is given his due respect by not been given a gazillion things to take care of basically because he never choose to step down from the job him self... let him do his three or four things so he can do it the same way he started the project (with a love for it), and doesn't feel like he is letting a huge community down because he is embarrassed to take some responsibility off himself or he doesn't even notice him self he is doing to much and is pushing him self way to much (like him doing security BY HIM SELF up until now is pushing him a lot for such a large project)... now please don't take this over broad and basically kicking Dries out of his own project but let him do the stuff he enjoys and that is relaxing but still a bit of a challenge but not something that will stress him self out... I saying make his life easier and give him enough things that he want to do without over doing it... over doing it is by not making stuff like a security team once the project officially became big and leaving it all on the original person that is so nice that doesn't even see he is doing more than a normal human can do and is causing him self stress...
Hope it made sense... please take it in a positive way.
P.S. the main reason why I say this is because of the way I see some families work and how some husbands take of granite on how much work their wife is doing in the house that they don't notice and say some things....
I was thinking you might
I was thinking you might really have a point with this, until you lost me and mentioned MS and as the "pro" to follow in the security process. Then you go on and mention their (MS) current state of security. Seems like a contradiction to me, as their current security state is a direct result of their security policy.
Drupal is not that big of a project, just very popular. If they try to emulate some corporate security policies, they might be shooting themselves in the foot.
The proper way for a process is to grow and adapt with the project's growth, not jump way ahead of its needs. Just my $0.02.
Sorry the MS part was left
Sorry the MS part was left over with my old draft post... I rewrote it to make my point more clear... cut the Example part out... I am just saying look at Linus he isn't maintaining everything that he just hasn't yet pasted it on to himself... others came up proved themself worthy to maintain that part of the kernel and Linus was left with what he wants to do... maintain the PPC port or something like that...
Last time for me
You've been here for only a few weeks and you lack the perspective of the projects history and the understanding of the work needed to setup the infrastructure to hand off the duties and the fact that he has been for quite a while.
It wasn't until this year that we hit this very large explosive growth. CivicSpace moved all their stuff back to Drupal.org CVS which added more directly active developers. The 4.6 release was even more popular (there is a graph somewhere). Time was taken getting ready and in building out the new servers. Several conferences have happened as has the server issue which have all taken time for people not paid to work on this.
Dries setup more site-maintainers to help with the Drupal.org maintainece last December, he setup the docs team and handed off lead to Charlie Lowe many months ago. There is an Infrastructure list that those of us that help handle what issues we can.
In order to deal more effectively with the Newsletter and other notifications setup, DriesK (not Dries but a different Dries so see he doesn't do everything) wrote the simplenews module and it has now been added to Drupal.org to allow better integration and communications of notifications to interested parties. There is more stuff going on in building out other aspects of the site as well.
Linus did not give up control of all aspects all at once, it was an evolutionary processes as is this one. Please do not assume that Dries maintains every aspect of project with micromanagement. There are developers with experiance and perspectives that everyone relies upon for their expertise to hammer out and arrive at solutions that will work best for the project. There are doc team members, infrastructure team members.
To wander in and start off calling people you don't know and haven't worked with 'unprofessional', cross posting links to every marginally related thread without bothering to learn the history or involve yourself first is well.....ummm..... ;)
So hang out, help out, get involved. Welcome to the community. You'll have some fun here and we'll all learn something.
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Missing the point
You're missing the point here. It has been here for a long time already, ran by Dries. It is now formally handed over to someone else, and also added a mailing list for user convenience. It doesn't mean the security team wasn't there because there was no dedicated mailing list for it.
Look at Drupal's history. See the quick release times after a critical bug was discovered. You will be amazed to see that this time lapse between reporting and fixing is significantly smaller than for some non-opensource counterparts.
(And no, I am not working for the security team, for incase you were wondering...)
-- Kobus
See above.
See my reply above.
... My views...
My view is that open-source is over-ruling the "Commercial" world today. The Open source world is releasing products that overpower commercial products by a lot. Look at the Mozilla Foundation, Drupal, Mambo, and look at Linux and the server world, Apache, MySQL and phpBB.
Unprofessional has never even entered my mind when it comes to Drupal.
------------------------------------
Paul Malenke
paul.malenke@gmail.com
AfterDeathGraphics.com
I am going to do some
I am going to do some bashing here:
The Epiphany (The GNOME web browser) developers which uses Gecko as their engine commonly bash the Mozilla Foundation over their poorly designed code base and their printing code which totally sucks. The do have a GTK-Webcore codebase but no one is really developing in it as GTK-Webcore hasn't had a stable release.
Drupal's problems are some parts of the design are very advance and some other part lag behind a lot... and other parts are totally missing which seem to be on the todo list.
Mambo... I don't think I need to explain... because drupal kicks its butt.
Linux has its lot of problems and I am not into them... but if you want a good kernel like Linus said "Wait for Hurd".
Apache has a lot of problems such as large memory footprints and some basic modules are just missing or are missing basic features... which its competitor lighttpd has plus with the advanage of a low memory footprint and not being a target by crackers... also its license according to some is better....
MySQL seems to be following the same biz model as QT release a GPL version of its libs instead of LGPL which means you have to pay for a license to use it with anything which isn't GPL compatible.
phpBB has its problem of only allowing 1 or 2 developer work on it... which is really aganist the sprit of open source... and drupal's forums module is a lot cooler...
So lets put it this way:
Webcore is better than Gecko, but Gecko has all the users.
Drupal is better than Mambo but Mambo has all the users.
Hurd is better than Linux but Linux is at a completed state.
Lighttpd is better (in a way) than Apache but Apache has all the users.
MySQL is just evil.
phpBB is open source but developed in a very closed source way, also drupal forum module is a bit better in design (like you can choose if you want it to be a flat forum or a threaded forum...)
Well I got to go I have no time to edit this... if anyone which understands what I am trying to say and knows of a better way to explain it please go ahead.
Wait for Hurd?
I can't find the original, only http://developers.slashdot.org/comments.pl?sid=100272&cid=8545730 but from that post, this "wait for Hurd" saying is from 1991 or so.
lighttpd also can be debated whether it's better or not than Apache.
I should be flattered my "drupal kicks mambo butt" and its mostly true but we have learned and will learn from Mambo/Joomla!
MySQL is just evil, hear the professional man speaking.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
you are obviously new to Drupal
Development of Drupal core is so focused on security that Drupal hasn't really had any major security problems until this summer--and those were mostly due to third party code (xml-rpc). Given the the history of the project, I'd say this increase in security at this moment is not "unprofessional."
Support instead of Bashing
Alsways keep in mind that Drupal is a community effort. So you are just as much to blame for the lack of a security team as anyone else. that means, if there really was none before. But there was, it was just not as visible as it is now.
---
if you dont like the choices being made for you, you should start making your own.
---
[Bèr Kessels | Drupal services www.webschuur.com]
Not really
We already had a security team. As of October 1, it is headed by Karoly and no longer by me. I'm delegating the work. In addition, to help the security team (which I'm obviously still a member of and in which I have a say), I setup more and better infrastructure.
I hope that clarifies the confusion. :)
Security
On my opinion the security of a cms like drupal is more important than all other parts (modules, themes a.s.o.)
and it is a great point to drupal that the security team exists.
with kind regards, holger
www.ebec.net | www.stnetwork.de
Well Drupal was a big
Well Drupal was a big project from before October 1st.... well I plan on helping the project a lot with the subject of themes and usiblity once I fine tune my skills... I am currently messing around with a bit of DHTML and AJAX... I think I will be ready in about a few months...
P.S. I must admit I am a Debian user at home... so if in a Few months I still don't feel my skills are ready enough I am sure you will understand.
P.S.S. to anyone else trying to learn fancy web development... (more than anything you could learn by reading zvon.org) is by coding some silly things that are totally use lessless (such as making a lotto system using AJAX...) use fancy techs till you feel you know the tech well enough you can help the project with your skills... I am sure the SoC students will agree.
Drupal had a security team before October 1st...
Which language should we use that you get it? The security team was set up not long after the DrupalCon. During the Drupal 4.6 lifecycle the team was already present and acted in case of need.
I am only named head now, that's all.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
Some history
I asked Dries for a security@drupal.org email address in Antwerp. At that time it seemed I can port a huge goverment body to Drupal but thanks to ugly bureaucracy this prjoject later flopped *sigh*.
In April, the security mailing list was set up (Apr 22th or so). At this time, we have no formal hiearchy, but I inspired to become leader however I was not doing my best doing 4.6.1 or 4.6.2 release, can't remember. Yes, all 4.6.x release are made by the security team.
However, this letter was sent to Dries on Aug 13 when we were discussing how to act on the latest XML-RPC bug:
As you can see, Dries was looking for someone to delegate to problem to. The rest is history.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
Drupal Security RSS-Newsfeed
I added the Drupal Security Feed to www.stnetwork.de/drupal.html and the security-messages will also be published in the german support-forums at www.drupalcenter.de
Great Work, Thank you
with kind regards, holger
www.ebec.net | www.stnetwork.de