8、安全小组 （这个好长啊，还有3个子链接）

安全小组的目标

• 处理安全性问题
• 持续性检查潜在的安全弱点
• 对贡献模块的维护人员提供安全问题的协助
• 提供如何编写安全代码的文档

如何报告安全问题

如果你发现或知道了一个可能影响到Drupal的l潜在错误、弱点、或威胁，请用邮件告知Drupal安全小组:secruity@drupal.org。
请提供尽可能多的细节，如系统环境、Drupal版本，使用的模块及其版本等等。
更多信息请看如何报告安全问题.

我们是如何处理安全问题的

• 审查所有Drupal发行版的问题和评估潜在的影响
• 如果核实存在问题，安全小组将会行动起来解决此问题
• 新版本的创建和测试
• 创建新的包文件并上传到Drupal目录
• 我们将利用所有可能的通讯方式来确保大家都知道安全问题的发现和解决，也包括drupal的管理者用以保护他们系统所需采取的每一步行动。

推荐的核心安全升级

这里是从2007年以来关于drupal的安全报告，由一位高中学生Jesse Crawford 在Google Highly Open Project记录。

安全公告和发布过程
The security team believes that providing security requires more than simply posting a patch to Drupal.org. The security team recognizes that hundreds of thousands and maybe even millions of people rely on the Drupal security team to notify them of known vulnerabilities. In the third quarter of 2007, the security team adopted a coordinated security release policy to help raise awareness of security issues and to make managing security patches manageable. The security team now coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance. Most importantly, the security team is coordinating with the Drupal maintainers, particularly the Drupal 6 maintainers, to ensure security releases are coordinated with major Drupal releases, such as betas and release candidates. This improves the visibility of security releases and allows for effective coordination of the maintainers and security team resources. However, this has lead to several complaints that individual patches are not being released quickly enough.

安全销售相信提供安全性比简单的在drupal.org上发布补丁更有需求。安全小组认为成千上万甚至可以超过百万的人群依赖drupal安全小组来提醒他们已知的漏洞。在2007年第三季度，安全小组采用了

We believe that we must consider the needs of the site maintainers and their ability to have regularly spaced security announcements. We must also consider the effective use of the security teams limited resources to remain vigilant and available over the the long term of the Drupal project. If you have a concern with the response time of your security release we welcome you to publicly discuss this policy, but would ask that you leave the details of any non-disclosed release private until the security team creates an official release.

Disclosure policy

Our policy is one of full disclosure; we will never withhold information about a security problem and hope that it won't be discovered by others. However, public announcements will only be made when the threat has been addressed and a secure version of Drupal is available. We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team, do not share your knowledge of security issues with the public at large.

我们支持哪个版本

• 只有当前和一个后面版本的drupal是被支持的（目前是6和5）。以前的不在活跃的版本的drupal将不会得到安全代码的发布。因此不推荐使用不支持的版本的drupal。请升级以便你能从安全发行上受益。
• Drupal的开发版还没延伸为产品，当安全问题修复的时安全公告也不会发布。如果你正在使用开发版分支进行测试，我们希望你知道你需要经常升级代码
• 安全小组将检视建立在Drupal发行版核心的代码的安全性，包括贡献模块的安全性和代码行，请参考下面的流程

贡献模块的安全问题

一旦我们发现drupal贡献模块的安全问题，我们将通知模块维护者并限定时间。一旦维护者开始修复问题，安全小组将提供帮助升级的指导和建议。如果维护者没有在指定时间内解决问题，虽然无法给出指导，但是我们仍然会建议不要启用此模块，而且同时我们将会停掉此模块。

如何能帮点忙？

你能提供的最大的帮助是检查补丁的安全效果，你也可以通过报告问题或和小组一起修复来帮助我们。

安全小组成员

• Khalid Baheyeldin
• Dries Buytaert
• Angela Byron
• Robert Castelo
• Nathaniel Catchpole
• Stéphane Corlosquet
• Heine Deelstra （小组领导者）
• Neil Drumm
• Dmitri Gaskin
• Charlie Gordon
• Gábor Hojtsy
• Morbus Iff
• Bart Jansens
• Barry Jaspan
• Chris Johnson
• Gerhard Killesreiter
• Andy Kirkham
• Greg Knaddison
• Kieran Lal （小组协调者）
• Adam Light
• John Morahan
• Karoly Negyesi
• Chad Phillips
• Mori Sugimoto（小组协调者）
• Oleg Terenchuk
• Damien Tournoud
• James Walker
• Moshe Weitzman
• Peter Wolanin
• Derek Wright

还有3个子链接
* HOWTO: Report a security issue
* My site was defaced ("hacked"). Now what?
* Contacted by the security team. Now what?