I sent this to the docs list when they started considering Zikula. Now
that we're setting up a test instance and getting some people on the
infrastructure team to work on it it seems like a good point in time to
forward it here.
-------- Original Message --------
Date: Fri, 23 Jan 2009 16:55:03 -0800
From: Toshio Kuratomi <a.badger(a)gmail.com>
Paul W. Frields wrote:
I think we should also be considering the other major players in the
CMS game, if there are people available to deploy and maintain them.
Drupal and Joomla! immediately come to mind, the latter especially
because it actually has some DocBook XML support. Features aren't
particularly compelling, though, if we have no one around to help with
One of the things I didn't know until I did some browsing around their
website is that Zikula started off as PostNuke but that they changed the
name in June. So they are a long term player in the CMS market.
None of this has any bearing on the quality of Zikula, which I'm
I was impressed by a few of the things I've learned since this morning
:-) The answers to how proactive the security is was a nice change from
the usual thoughts I've seen::
Here's my naive search of cve.mitre.org
for issues reported in 2008.
Note that some people would say to exclude plugins from this but my view
is that we're going to be running plugins as part of our deployment and
we'll want to know if we can expand our capabilities by pulling in
functionality via plugins without compromising security. So knowing
this does a *little* towards understanding whether the Core provides an
API for writing secure plugins and the plugin community is security
minded as well as Core developers. And like I say, this is naive :-)
91 Joomla -- Lots of plugins a few in core
79 Drupal -- Lots of plugins a few in core
60 Wordpress -- Lots of plugins, a few in core
53 Mambo --Lots of plugins, at least one in core
4 zikula + postnuke -- 1 in Core, 3 in plugins
For reference, mediawiki, which we think has an acceptable
security-to-benefit ratio had 8 vulnerabilities reported in 2008 using
the same naive count.