Recently, some idiot has blogged in a negative way about how the symfony team handles security issues [1]. If the poster spent more time developing, and less time talking nonsense on IRC, maybe there wuold be less to complain about.... Anyway, the correct place to to discuss this kind of thing is the list, so.... here goes!
Personally, I think it's important users know about security issues as soon at they happen. It's of my opinion that keeping security issues 'low key' does nothing by potentially hurt users, and loose trust. This topic brings with it a wide range of opinions though, and handling security issues in the software world isn't an easy task. I would like to suggest that a security team is put together, where issues can be discussed in full by core/trusted developers - and offical advisories for any security related issues (regardless of severity) are written and published. I suggest that clear links are made from the front page of the site, and the ticket creation page which link to a page explaining how security issues are handled. I think an email address for the security team should be placed on this page, and someone should get back to the reporter of the issue as soon as possible to let them know their issue will be dealt with. I don't think there's any shame in publishing a security history on the site, I feel it's important to be very up front about these issues. Not only so users can see issues and how they were delt with, but so that current and future developers can read and learn from previous mistakes. So, I urge you all to voice your opinions on this - maybe I'm just making a point over nothing, feel free to voice that opinion too, I'm thick skinned :) [1] http://pookey.co.uk/blog/archives/50-Symfony-security-concerns-and-other-issues.html --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
