It doesn't follow that path by necessity, but by choice.vanderaj wrote: And so the security discussion moves from phpBB to bugtraq where the damage to your users is so much worse.
In any event, moderators don't set policy. It's not up to us to decide the merits of the various arguments on how best to handle phpBB security issues, though the community is forever trying to get us so involved. We have administrators, they have a clear policy, and whether you or I agree in whole or in part or even not at all with that policy, that's the way it is.
Now, we as a community can abide by the rules established by the administrators, or we can break those rules. There should be no head scratching when the cause-and-effect process plays out on a rule violation. phpBB is their project, and phpBB.com is their resource. Just like any other .com, there are people who are in charge, and the rest of us aren't. I'm not sure why phpBB.com is often assumed to be an exception and that we can "bend" rules to conform policy and procedure to some higher authority or ethic - by brute force if necessary.
Any constructive criticism over security policy and procedure is best addressed privately to theFinn or to psoTFX. [Re]Hashing these issues out regularly in various phpBB.com forums is counterproductive on several fronts, in my opinion, and ought to be avoided.