[wp-hackers] List etiquette

[Ryan Boren]

Elliotte Harold wrote:
> If you actually did a release this would be fine. You haven't. The bug 
> exists. It's out there, and there's no fix available, nor does one seem 
> to be likely in the future. Sending private e-mail to 
> security at project.org is fine for projects that recognize, respond to, 
> and expeditiously fix security holes. However if projects are not 
> prepared to treat security seriously, then the information needs to be 
> made public so users can take actions to protect themselves when vendors 
> can't or won't. This applies whether the project is open or closed 
> source. The only difference is it's usually a little easier for third 
> parties to patch open source security bugs.

People more interested in helping than ranting have already provided 
patches via the standard mechanism.  Those are being reviewed.  Posting 
exploits and scare mongering only makes our job harder, much harder. 
People don't understand the damage they do with their blog and forum 
screeds.  Public hand-wringing can screw up an entire security release 
train.  A stupid number of hours go into each of our security releases. 
  We have to sift through all of the FUD and vainglorious stupidity and 
snake oil from fly-by-night security "professionals" to find the real 
problems.  We then engage the real professionals who found real problems 
and set about fixing the problem (which is the easy part), verifying the 
fix, and setting up disclosure timelines.  We have to get that fix on 
the train with other fixes and coordinate with Linux distros, hosts, and 
others with a vested interest.  And then someone who thinks their pet 
bug is the end of the world screws up the train.  That's aggravating, 
especially when the bug in question has relatively low exploitability. 
A big, fat dose of perspective is needed in this thread.

Ryan