I got some opinions about how to keep security in open source. Now, in Japan, when a developer who doesn't know the details of security publishes a module that equips security hole, an expert developer warns him to stop publishing and fix the module quickly. Some users mail me about this.
(Umm, why did not they contact the expert developer directly? Why did not they discuss directly? Because they are Japanese! Not that this is anything new.)
That's difficult problem. In xoops.org and jp.xoops.org, security was broken perfectly once. Source was open, but nobody tried to check source. Users faced danger always.
Japan has the same situation. But, a couple of earnest programers began tryng to check modules sometimes. That's difference from xoops.org. Is this happy or unhappy? If they stop checking, we face danger soon. The XOOPS Cube project is Anarchism and Minarchism, so the project doesn't have quality checker.
I think that users need self protection in freedom. But, Anarchism denies governmental method, but not an unique method. If a community has shared protection, it's good. If you have another opinion, do discuss.
But, if you think that opened programs will be fixed by many contributed patches, consider how many patches you have contributed to others' program until now. And, if you plan to make the mood you want, you should write something continually on Japanese community. It's strange thought to counterwork others' continual activity by sending a mail to the third person.
Anyway, community members need to know that all of open source programs is not safety. If community members share the same presupposition, it's possible to go next. What do you do actually?
Especially, many users have long experience about XOOPS than me. I want to hear how much open source code they checked actually and how much patches they contributed actually. My recollection is that anybody did nothing until JM2 came back to review X2.