FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Development

 
 
LinkBack Thread Tools
 
Old 09-30-2008, 04:31 PM
Stephane Corlosquet
 
Default forums + portal for {lang}.centos.org sites

Karanbir Singh wrote:

Ned Slider wrote:


We (in my day job) see the same security issues for Joomla based sites
when modules are used to extend core functionality. Site
developers/owners are quick to extend functionality by installing
additional plugins but then don't want the responsibility of maintaining
multiple packages/plugins on the server. It just adds a further layer of
complexity as any plugins need to also be separately monitored (and
maintained) for security updates.



Drupal 6 core has a built-in Update Status feature to keep the site
admin up to date with new releases (contributed modules and security
releases). It synchronizes with drupal.org and warns you when there are
new releases for your modules. The update path is fairly easy and
automated. using cvs to check out Drupal and its modules can save you a
lot of time.



yes, and its things like this :

http://drupal.org/node/313054

which are quite scary.




This is what happens when you don't use the Drupal API, which saves the
developers from having to worry about common security issues like XSS,
CSRF, SQL injection etc. In that way it's very quick to evaluate the
quality of a module: you just need to check whether they make good use
of the API or not...



scor,

http://drupal.org/user/52142



_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 05:50 PM
Karanbir Singh
 
Default forums + portal for {lang}.centos.org sites

Stephane Corlosquet wrote:

yes, and its things like this :

http://drupal.org/node/313054

which are quite scary.

This is what happens when you don't use the Drupal API
<http://api.drupal.org/>, which saves the developers from having to
worry about common security issues like XSS, CSRF, SQL injection etc. In
that way it's very quick to evaluate the quality of a module: you just
need to check whether they make good use of the API or not...


Surely this is the responsibility of the drupal devteam and not the
userbase to ensure stuff like this is not included. That specific module
was at some time distributed from the drupal.org website wasent it ?


I dont really want to sit here and audit every bit of code that is going
to come along with drupal. I'd much rather just plonk something together
in pylons, in perhaps a day or so that would give me a better match for
requirements.

--
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos@irc.freenode.net
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 07:05 PM
Dag Wieers
 
Default forums + portal for {lang}.centos.org sites

On Tue, 30 Sep 2008, Karanbir Singh wrote:


Stephane Corlosquet wrote:

> yes, and its things like this :
>
> http://drupal.org/node/313054
>
> which are quite scary.

>
This is what happens when you don't use the Drupal API
<http://api.drupal.org/>, which saves the developers from having to worry
about common security issues like XSS, CSRF, SQL injection etc. In that
way it's very quick to evaluate the quality of a module: you just need to
check whether they make good use of the API or not...


Surely this is the responsibility of the drupal devteam and not the userbase
to ensure stuff like this is not included. That specific module was at some
time distributed from the drupal.org website wasent it ?


Does the absense of such bug-reports make a solution more secure ?

--
-- dag wieers, dag@centos.org, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 07:39 PM
Karanbir Singh
 
Default forums + portal for {lang}.centos.org sites

Dag Wieers wrote:
Surely this is the responsibility of the drupal devteam and not the
userbase to ensure stuff like this is not included. That specific
module was at some time distributed from the drupal.org website wasent
it ?


Does the absense of such bug-reports make a solution more secure ?


well, does a widely circulated known exploit that isnt going to get a
fix instill confidence in you ?


--
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos@irc.freenode.net
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 08:25 PM
"Stephane Corlosquet"
 
Default forums + portal for {lang}.centos.org sites

Note that this module was NOT part of Drupal core and that the amount of site using it was therefore limited (I myself never heard of it before). This is an edge case: the module was found to be badly designed and has been unpublished until the author rewrites it. This should be sorted out shortly. This case should not be generalized and in 99% of the cases, a new release is provided with the Security Announcement.


scor.

On Tue, Sep 30, 2008 at 8:39 PM, Karanbir Singh <kbsingh@centos.org> wrote:

Dag Wieers wrote:




Surely this is the responsibility of the drupal devteam and not the userbase to ensure stuff like this is not included. That specific module was at some time distributed from the drupal.org website wasent it ?






Does the absense of such bug-reports make a solution more secure ?




well, does a widely circulated known exploit that isnt going to get a fix instill confidence in you ?



--

Karanbir Singh

CentOS Project { http://www.centos.org/ }

irc: z00dax, #centos@irc.freenode.net

_______________________________________________

CentOS-devel mailing list

CentOS-devel@centos.org

http://lists.centos.org/mailman/listinfo/centos-devel



_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 08:48 PM
Dag Wieers
 
Default forums + portal for {lang}.centos.org sites

On Tue, 30 Sep 2008, Karanbir Singh wrote:


Dag Wieers wrote:
> Surely this is the responsibility of the drupal devteam and not the
> userbase to ensure stuff like this is not included. That specific module
> was at some time distributed from the drupal.org website wasent it ?


Does the absense of such bug-reports make a solution more secure ?


well, does a widely circulated known exploit that isnt going to get a fix
instill confidence in you ?


At least there is a process of reporting out-of-core security problems.

Why should the Drupal team be responsible of code they clearly do no
support ? Go and talk to the module's developers to see what processes
they have before you use it.


--
-- dag wieers, dag@centos.org, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 09:04 PM
Karanbir Singh
 
Default forums + portal for {lang}.centos.org sites

Dag Wieers wrote:

At least there is a process of reporting out-of-core security problems.


I dont see how that is relevant, CVE's are open to anyone to report
against / for ? so whats your point ?


Why should the Drupal team be responsible of code they clearly do no
support ? Go and talk to the module's developers to see what processes
they have before you use it.


Sure, that should be something that whoever decided to test and look
after drupal ( should we select it ) should do, if the built in core
modules are unable to handle the issues we need it to.



--
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos@irc.freenode.net
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 09:11 PM
"Stephane Corlosquet"
 
Default forums + portal for {lang}.centos.org sites

KeyZ is offering a "Sample of CentOS.org implementation using Drupal"
see http://dag.wieers.com/blog/drupal-for-centos-portal-and-forums#comment-988

http://dag.wieers.com/blog/drupal-for-centos-portal-and-forums#comment-983

scor.

On Tue, Sep 30, 2008 at 10:04 PM, Karanbir Singh <kbsingh@centos.org> wrote:

Dag Wieers wrote:


At least there is a process of reporting out-of-core security problems.




I dont see how that is relevant, CVE's are open to anyone to report against / for ? so whats your point ?




Why should the Drupal team be responsible of code they clearly do no support ? Go and talk to the module's developers to see what processes they have before you use it.




Sure, that should be something that whoever decided to test and look after drupal ( should we select it ) should do, if the built in core modules are unable to handle the issues we need it to.





--

Karanbir Singh

CentOS Project { http://www.centos.org/ }

irc: z00dax, #centos@irc.freenode.net

_______________________________________________

CentOS-devel mailing list

CentOS-devel@centos.org

http://lists.centos.org/mailman/listinfo/centos-devel



_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 09:11 PM
"David Newkerk"
 
Default forums + portal for {lang}.centos.org sites

Hello all -

My name is David Newkerk, and have posted under the user name Keyz on
Dag's blog post regarding Drupal. Dag requested that I post directly
to the mailing list instead so that the info I am compiling can be
more readily seen by everyone. Apologies if I have posted incorrectly
with this first reply, as I'm not yet accustomed to using the mailing
list. I will post several longer replies once I'm sure I've posted
correctly.

Thanks!

- David


On Tue, Sep 30, 2008 at 2:04 PM, Karanbir Singh <kbsingh@centos.org> wrote:
>
> Dag Wieers wrote:
>>
>> At least there is a process of reporting out-of-core security problems.
>
> I dont see how that is relevant, CVE's are open to anyone to report against / for ? so whats your point ?
>
>> Why should the Drupal team be responsible of code they clearly do no support ? Go and talk to the module's developers to see what processes they have before you use it.
>
> Sure, that should be something that whoever decided to test and look after drupal ( should we select it ) should do, if the built in core modules are unable to handle the issues we need it to.
>
>
> --
> Karanbir Singh
> CentOS Project { http://www.centos.org/ }
> irc: z00dax, #centos@irc.freenode.net
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel@centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 09-30-2008, 09:12 PM
Dag Wieers
 
Default forums + portal for {lang}.centos.org sites

On Tue, 30 Sep 2008, Karanbir Singh wrote:


Dag Wieers wrote:

At least there is a process of reporting out-of-core security problems.


I dont see how that is relevant, CVE's are open to anyone to report against /
for ? so whats your point ?


It is relevant in the sense that:

1. You seem to hold Drupal responsible, while they merely put contributed
modules on their website

2. They at least respond to security problems by removing them from the
website and providing that information

Why are you picking on me again while I just respond to what you say and
try to put it into context ?


Again I am questioning why I even bother if every thread ends into
something like this...

--
-- dag wieers, dag@centos.org, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 

Thread Tools




All times are GMT. The time now is 03:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org