Re: PHP snippets (once again)

There is an alternative to simply unpublishing for the problem snippets:

* Enable the "edit book pages" and "view revisions" access controls on
drupal.org for authenticated users so that everyone can edit any page and view
the different versions (isn't it about time we turned these on anyway?).

* Replace the entire text in the node with a security note that warns of the
vulnerabilities.

* Include in the replacement text an invitation to people (anyone) to look at
the previous version and submit an updated version by editing the page.

This takes fixing the security holes out of the docs and security team's hands
and still allows people--with clear warning--to view the original snippet.


Quoting Heine Deelstra <info@xxxxxxxxxxxx>:

> Dear doc team,
>
> I looked at several snippets yesterday and to my horror many of them  
> contain *obvious*, major security holes. I've spoken with the leader 
> of  the security team (chx) and we agreed to unpublish all obviously 
> insecure  snippets, then have a discussion based on numbers (ok vs. 
> not ok) and how  to proceed.


--
Pending work: http://drupal.org/project/issues/documentation/
List archives: http://lists.drupal.org/pipermail/documentation/