Thursday, 15 March 2012 17:17
Obviously Tijn has never heard the phrase "don't shoot the messenger". Let's be clear about this, the vulnerability is Joomla's responsibility, not Jeff's. As a member of the project, and the security team, I hate seeing this sort of thing at least as much as anyone else, but I'd much rather see a note from Jeff in the security inbox than a description of the attack on a hacker board. Still, disclosure shortly after an update does cause some hardship. Right now we have webmasters who are just waking up to discover the update, and they haven't had a chance to apply it. A simple description of the attack vector like this makes it much more likely that they're also waking up to a hacked site. If the simple description was held back for a while, then only hackers willing to understand the changes to the code would be developing exploits, and that would buy a significant number of sites a few more hours time. So what Tijn might have been better off saying is "your timing is less than optimal". "Jerk" is, IMO, unjustified. I agree with Jeff's comment: it could also been one hell of a lot worse. He deserves credit for not making it so.

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions