For a long time the security team documentation has grown in fits and starts inside of security.drupal.org with a somewhat challenging organization. About 9 months ago I started a process to archive unnecessary/outdated items, consolidate the good stuff, and organize it into a single google document for editing to allow people outside the team to help. Since then, several people helped out and in the last week (starting at Drupalcon Munich) Ben Jeavons and I moved it all to public book pages on Drupal.org. You can now find the previously private content inside:
- The main security team page
- A Security Team procedures book section
- Joining the security team on s.d.o
Our hope is that people who are not on the team will help to consolidate this information further, re-write confusing sections. Overall the biggest problem seems to be inconsistencies, duplicate and redundant information. Our focus should be on reducing word-count (without sacrificing content/clarity) and rewriting for readability wherever possible. We want a friendly tone that focuses on the security team supporting project maintainers.
I would like to thank several people who helped at various stages in the process of moving it public:
* David Rothstein, Stephane Corlosquet, Jakub Suchy, Heine Deelstra, Mori Sugimoto and many others who helped write the original documentation
* Angela Byron, Forest Monsen, Stephane Corlosquet, Ben Jeavons, Chris Hales - members of the security team who edited or commented on the doc to make it better
* Kathleen (kktaus), Craig Norris, galooph, melissavdh - members of the broader Drupal community who edited or commented to make it better
Thanks to everyone who has provided documentation of the team and our processes. And, again, I encourage anyone to help edit the public docs for consistency, clarity and brevity!
Comments
Security Team pages moved to the Admin Guide
The Security Team pages have been moved to the Administration Guide which has been renamed the "Administration and Security Guide". The rationale is that there was already a great deal of security information in the Admin Guide so it seems to make sense to have all this related content in one place.
Also the Security Team pages contain procedural information and the previous location (About Drupal) was not the appropriate place for that kind of content.
I'm not sure the new home is
I'm not sure the new home is the right place. They were under About Drupal because they were under the Security Team page. They are not about general administration of a Drupal site which is what "Administration and Security Guide" seems to be about.
Were there any other places you considered posting them? Did you make this change after consultation with anyone else?
certifiedtorock.com/u/36762/ | Druplicon debit card
I do not think that
I do not think that Administration Guide is appropriate place for the Security team pages. "Securing your site" and its sub pages contain specific information and tips for site administrators. "Security team" talks about team of people - part (pretty important one) of the Drupal project, their structure, procedures etc. Such information in my opinion looks much better in "About the Drupal project", next to "Core developers" etc.
The bulk of the content in
The bulk of the content in the Security Team section seems highly relevant to administering the security of the site including everything in the FAQ, what to do if my site is hacked, how to report a security issue, release numbers and release timing explained, security risk levels.
The only parts that don't seem directly relevant to admins are the security team procedures and the "contacted by security, now what" page. The latter might go in the dev guide somewhere but it seems to make sense to have everything security-related in one place.
And
And http://drupal.org/node/1424708 ?
certifiedtorock.com/u/36762/ | Druplicon debit card
Well, like I said, that
Well, like I said, that particular chunk is not directly relevant to administrators. However it was far more out of place there where it was, since the About Drupal section is pretty much generic content re the project as a whole.
The other place it could reasonably go is here: http://drupal.org/getting-involved-guide where we have procedural information for drupal.org site maintainers, code contributors, documentation etc.
Refactored
I've moved all the information that I believe is specifically directed towards site administrators (e.g. what to do if my site is hacked) out of the Security Team section (but still in the Securing Your Site section of the Admin Guide) and moved the Security Team section to the Getting Involved which is where all the internal D.O process stuff is kept.