On 26/06/06, Tim Starling <t.starling(a)physics.unimelb.edu.au> wrote:
Whenvever you post one of these "OMFG security
flaw" posts to a public
mailing list, it damages the reputation of MediaWiki as a secure and stable
wiki engine. These posts will be archived and available in the search
engines forever. Some people are going to search for "mediawiki security" on
google and judge it by what they find.
*cough* And people are going to spot these arguments in the public
archive, too. Who was it who asked us all to be decent to people;
those we knew, and those we didn't? Common sense, to me.
What we would like is for MediaWiki to be judged by
the reliability of its
release versions, not whatever happens to be at the head of the trunk in any
particular second.
I'd tend to agree, although since we're using Subversion trunk in
production on a popular web site, it is, of course, prudent for us to
keep it secure against known issues. :)
Might I suggest that Nick continues to (very kindly) advise us in
advance of security issues, as he has been doing, via the private
channels (emailing two or three of us, or using the security@wikimedia
alias; whatever), but holds back on announcing stuff to wikitech-l for
an hour or so, and doesn't bother announcing bugs in Subversion trunk
that are fixed up?
This means that:
* we still get fair warning of stuff we need to fix
* people aren't alerted and panicked and misled when there's little
cause for alarm
* people *are* given fair notice of problems in the "stable" branch
I'm sure we can arrange commit access for you.
Sounds like a sensible idea to me; he's not going to go off breaking
stuff, we can sorta guess that, and we'll benefit from having a bit
more testing stuff. :)
Rob Church