Nick Jenkins wrote:
[Tim Starling wrote]:
This sort of thing really doesn't need to be reported to wikitech-l.
Whoa! Time out for a reality check.
Let me say this very simply: YOU DON'T GET TO MAKE THAT DECISION. The ONLY person who gets to choose how a bug is reported is THE PERSON WHO FINDS IT.
No shit, Sherlock. You have the ability to choose how you behave. You can throw rocks through windows or cry when you don't get your way, or whatever you feel like doing. I'm only suggesting that you have some consideration when you choose your path.
Whenvever you post one of these "OMFG security flaw" posts to a public mailing list, it damages the reputation of MediaWiki as a secure and stable wiki engine. These posts will be archived and available in the search engines forever. Some people are going to search for "mediawiki security" on google and judge it by what they find.
What we would like is for MediaWiki to be judged by the reliability of its release versions, not whatever happens to be at the head of the trunk in any particular second.
Now as you rightly point out, you are free to make these posts. But that doesn't mean you're going to make any friends by doing it. Yes, you are free to annoy as many people as you like, but I think you will find that to be a bitter and unfulfilling path to take in life.
I shall be happy to email yourself and Brion an updated version of the script that I'm using (you'll have to check it in, as I don't have commit privileges). I'll endeavour to get it you today, but failing that some time this week. As with all software I'm sure it can be improved, but it's probably better to have something more current checked in to the tree than the old version that is there currently.
I'm sure we can arrange commit access for you.
-- Tim Starling