[Typo3] t3-SECURITY???

[Martoni]

On Tue, 08 Feb 2005 16:57:51 +0000, daniel schiffner <ds at netzspiegel.de> wrote:
> Christoph Moeller wrote:
> > But: what's the point in shouting out "SECURITY RISK IN TYPO3!!" when
> > the (core-)devs haven't even looked at it?
> 
> you didn't even read the thread, did you?
> i did NOT shout out t3 is insecure or something like this. as i said i
> just wanted to talk about how typo3 might protect even insecure
> extensions. and though you're too lazy to look ds at netzspiegel up, i
> wrote my name into my account (hope you're all happy now).
> 
> > The point is:
> > - keep it calm and professional
> > - don't trigger script-kiddies that wouldn't even notice any flaw by
> > themselves
> > - give the TYPO3 admins enough time to act _before_ mass-exploiting begins
> 
> i thought it's our problem if there's a new exploit (???)
> 
> > That' got nothing to do with "M$-mentality" but just with being
> > professional about such topics.
> >
> 
> indeed it is M$-mentality. open source is like releasing
> security-concerning news and fix it within a couple of hours and not
> like keeping it unsaid and hoping nobody else discovers it!

Well, there are two schools in this (or three really ...).
Historically your point of view dominated, nowadays, the dominating
opinion is that you give developers some time to fix there problems
after you report the sec-bug *to them*. If they don't it's acceptable
to post security breaches to public lists. (The White Hat approach).

That said it's pretty amazing how neurotic this list is over the issue
of names, when if fact the is a difference between "rules" and (as I
quote from the quoted page) "Suggestions...".

/Martin S