While I had many disagreements over the direction of Drupal 8, https://drupal.org/node/2264041 is pretty much an end-of-the-world issue. We had security holes before, but this is not only a complete failure on technical grounds but also of process: a secure-by-default system was switched to an insecure-by-default and this was known and documented. Somehow people have architected this, coded this, reviewed this, committed this and documented this across a multitude of issues and all along noone said "wait a minute". Even after I discovered it, there was no aghast naval gazing on how it could happen. Everyone simply continued as if nothing happened. Not even an attempt was made to avoid such catastrophes in the future.

The above was the reason I switched my avatar but it continued. When I have -- 1.5 years after it was filed, mind you -- made the Twig autoescape issue finally happen, it was met with such indifference that when the expected double escape bugs surfaced I got yelled at because "really makes the whole thing look broken and unprofessional and unusable". And again, people have coded and reviewed and set to ready some patches trying to fix these double escape bugs in a way that is advised against in doxygen, change notices and quite a few issues.

Commenting on this Story is closed.