11:05 p.m.
I just learned that http://spreadfirefox.com is running on Drupal as well as:
http://gnomedesktop.org/
http://kerneltrap.org/
I also found videos (ogg in torrent) from Drupal conference:
http://drupal.org/drupalcon-2005-media
--
Thomas Chung
FedoraNEWS.ORG (http://fedoranews.org)
"..where you can free your knowledge for your free community!"
2:59 p.m.
Thomas Chung wrote:
I just learned that http://spreadfirefox.com is running on Drupal as
well as:
http://gnomedesktop.org/
http://kerneltrap.org/
I also found videos (ogg in torrent) from Drupal conference:
http://drupal.org/drupalcon-2005-media
--
Thomas Chung
FedoraNEWS.ORG (http://fedoranews.org)
"..where you can free your knowledge for your free community!"
So, would that be the same spreadfirefox.com that has been compromised
three time in the last few months? The same one that required users to
keep changing their might-have-been-compromised information? Kind of
leaves me curious...
Do we have any information on Drupal's security track record? PHP has
had its fair share of problems.
I'm not meaning to bash on Drupal or PHP, but these are important
concerns. I'm not going to pretend that Python and the Python software
currently in use are perfect, but security was one of the considerations
in their selection. It would be helpful to know how spreadfirefox.com
was compromised. If their failures were problems with Drupal or PHP, or
if they were problems elsewhere would be nice to know. Assuming we'll
not learn that, we need to at least thoroughly investigate the security
records of any software we consider.
--
Patrick "The N-Man" Barnes
nman64(a)n-man.com
www.n-man.com
--
3:16 p.m.
So, would that be the same spreadfirefox.com that has been
compromised
three time in the last few months? The same one that required users to
keep changing their might-have-been-compromised information? Kind of
leaves me curious...
Do we have any information on Drupal's security track record? PHP has
had its fair share of problems.
Drupal has had a fair share of issues. The xml-rpc issues hit it hard
and b/c there are an ever-growing set of modules for drupal, which, of
course, we'd want to use ALL of - then we'll have to audit more and more
code that is OUTSIDE of the base package. Audits that we have no one to
conduct or focus on, in fact.
DANGEROUS behavior is what that is.
I'm not meaning to bash on Drupal or PHP, but these are
important
concerns. I'm not going to pretend that Python and the Python software
currently in use are perfect, but security was one of the considerations
in their selection. It would be helpful to know how spreadfirefox.com
was compromised. If their failures were problems with Drupal or PHP, or
if they were problems elsewhere would be nice to know. Assuming we'll
not learn that, we need to at least thoroughly investigate the security
records of any software we consider.
http://blog.sethdot.org/index.cgi/263.html
The ubuntu people have had a good deal of success focusing their efforts
on a single dynamic typed and web-interfacing language.
for proof of this look at launchpad.net, ubuntulinux.org, their wiki,
etc etc etc
-sv
4:23 p.m.
On Sat, 12 Nov 2005 16:16:38 -0500, seth vidal wrote
http://blog.sethdot.org/index.cgi/263.html
The ubuntu people have had a good deal of success focusing their efforts
on a single dynamic typed and web-interfacing language.
for proof of this look at launchpad.net, ubuntulinux.org, their wiki,
etc etc etc
Speaking of ubuntu, their community site called "Fridge" is also running on
Drupal.
http://fridge.ubuntu.com/
--
Thomas Chung
FedoraNEWS.ORG (http://fedoranews.org)
"..where you can free your knowledge for your free community!"
3:35 p.m.
> for proof of this look at launchpad.net, ubuntulinux.org, their
wiki,
> etc etc etc
Speaking of ubuntu, their community site called "Fridge" is also running on
Drupal.
http://fridge.ubuntu.com/
At the risk of sounding like I'm measuring dicks:
Thomas, how long have you been a system and/or security administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of
the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal
site is going to run on fedoraproject.org and you're expecting me to
monitor and watch the drupal devel process for problems or security
alerts you have another thing coming.
-sv
3:42 p.m.
Hi
At the risk of sounding like I'm measuring dicks:
Thomas, how long have you been a system and/or security administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of
the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal
site is going to run on fedoraproject.org and you're expecting me to
monitor and watch the drupal devel process for problems or security
alerts you have another thing coming.
Peace everyone. I am going to repeat the same suggestion. If the cms
needs to be run within fedoraproject.org it has already been made clear
that Seth doesnt want a PHP based solution due to security concerns from
a administrative point of view. Python is generally what Fedora prefers
too. So we can look at the python based CMS and check which one fits
our needs or just set a redirect from news.fedoraproject.org to
fedoranews.org and let Thomas Chung continue to administrate and setup
Drupal or anything else that he prefers.
Any other suggestions?
regards
Rahu
3:48 p.m.
Peace everyone. I am going to repeat the same suggestion. If the cms
needs to be run within fedoraproject.org it has already been made clear
that Seth doesnt want a PHP based solution due to security concerns from
a administrative point of view. Python is generally what Fedora prefers
too. So we can look at the python based CMS and check which one fits
our needs or just set a redirect from news.fedoraproject.org to
fedoranews.org and let Thomas Chung continue to administrate and setup
Drupal or anything else that he prefers.
I will quote here what I said to Elliot(sopwith) off list a few weeks
ago:
Begin Quote:
However, if drupal is the "final decision" and you wish to insist on
using it then at the very least I want to see:
- a drupal and drupal-module packages show up in fedora extras LONG
before we implement it.
No matter what system is chosen I want to see:
- all modules we write for it MUST live in fedora cvs and the
developers will NOT have direct write access to the web server running
the website and from where the system runs. This is for the system's
protection and to enforce rigor among the people maintaining the site.
- Programming standards like the process we have implemented for
extras packages. So no one person can push through some crack onto the
live system.
I think we're making a mistake by developing our website using a
language which is not the primary development language for applications
and utilities we write for the distribution we work on. We're dividing
our programming resources and we're sending a mixed message on language
use. Not to mention encouraging poor programming practices.
End Quote
-sv
3:58 p.m.
As long as there is multi-lingual support for news.fedoraproject.org, I
am very happy. I have been translating fedoranews.org to Japanese, but
because of administrating cost of CMS, I have been using static web
site. So there was very little contribution from Japanese community members.
It seems drupal's multi-language support needs "quite a bit of extra
maintenance".
From http://fridge.ubuntu.com/about
"We really wanted to have deep internationalisation support for The
Fridge as soon as it launched, but unfortunately it will have to wait.
The i18n support for Drupal requires quite a bit of extra maintenance,
but hopefully we can demonstrate a good use case to the Drupal
community, and work with them to get it into an upcoming release."
-Yoshihiro
Rahul Sundaram wrote:
Hi
> At the risk of sounding like I'm measuring dicks:
>
> Thomas, how long have you been a system and/or security administrator?
> Are you willing to watch drupal, maintain the package, and audit ALL of
> the modules that we decide to use?
>
> Are you a php programmer, even?
>
> In other words - who is expecting to do the work here? B/c if the drupal
> site is going to run on fedoraproject.org and you're expecting me to
> monitor and watch the drupal devel process for problems or security
> alerts you have another thing coming.
>
>
>
Peace everyone. I am going to repeat the same suggestion. If the cms
needs to be run within fedoraproject.org it has already been made clear
that Seth doesnt want a PHP based solution due to security concerns from
a administrative point of view. Python is generally what Fedora prefers
too. So we can look at the python based CMS and check which one fits
our needs or just set a redirect from news.fedoraproject.org to
fedoranews.org and let Thomas Chung continue to administrate and setup
Drupal or anything else that he prefers.
Any other suggestions?
regards
Rahu
4:54 p.m.
On Sat, 12 Nov 2005 16:35:47 -0500, seth vidal wrote
Thomas, how long have you been a system and/or security
administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of
the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal
site is going to run on fedoraproject.org and you're expecting me to
monitor and watch the drupal devel process for problems or security
alerts you have another thing coming.
-sv
It's not just me and you who will make the decision. I'm just throwing my ideas
and
recommendation. We should consider *all* recommendations from *all* us then put it on
vote as we are living in a democratic world. I don't want to see a *single*
individual
make all the decisions for *all* of us.
As for my website, I'm going with Drupal for next CMS. Yes, I'm going to maintain
the
package and audit the modules on my server.
No, I'm not a PHP programer and I probably don't have as much experience as you
do.
(breathing a moment)
Perhaps, we started in wrong foot. All I wanted and the primary reason to join Fedora
WebGroup was to help develop/maintain Fedora Community Website. I'm not really
interested in *system administration* of fedoraproject.org
I'll step aside for now so *real* system administrators can make the decision.
I'll
accept whatever CMS as a WebGroup decides.
--
Thomas Chung
FedoraNEWS.ORG (http://fedoranews.org)
"..where you can free your knowledge for your free community!"
4:07 p.m.
It's not just me and you who will make the decision. I'm just
throwing my ideas and
recommendation. We should consider *all* recommendations from *all* us then put it on
vote as we are living in a democratic world. I don't want to see a *single*
individual
make all the decisions for *all* of us.
We're not a democracy. We never have been one. anyone who thinks fedora
has been democratic hasn't been paying attention. Moreover it SHOULD NOT
be democratic. It should focus on the merits of the items involved.
So let's stop talking about voting on things. That way lies madness.
As for my website, I'm going with Drupal for next CMS. Yes,
I'm going to maintain the
package and audit the modules on my server.
No, I'm not a PHP programer and I probably don't have as much experience as you
do.
I'm not a php programmer and don't have any desire to learn. After years
of php exploits affecting hundreds of programs I did everything I could
to disable php everywhere I encountered it.
Perhaps, we started in wrong foot. All I wanted and the primary
reason to join Fedora
WebGroup was to help develop/maintain Fedora Community Website. I'm not really
interested in *system administration* of fedoraproject.org
Right and that's ALL I'm interested in. The maintenance and the
security of the website.
I'll step aside for now so *real* system administrators can make
the decision. I'll
accept whatever CMS as a WebGroup decides.
I'm not asking anyone to step aside - but I am asking that we try to
focus on on languages and packages that have:
1. programmers who use and develop on in the project.
2. some history of a security infrastructure
3. the package in fedora core or extras with an active maintainer.
-sv
3:48 a.m.
Hi
Perhaps, we started in wrong foot. All I wanted and the primary reason
to join Fedora
WebGroup was to help develop/maintain Fedora Community Website. I'm not really
interested in *system administration* of fedoraproject.org
I'll step aside for now so *real* system administrators can make the decision.
I'll
accept whatever CMS as a WebGroup decides.
Would it possible for you to evaluate any python based CMS systems?. If
anyone has good ideas or recommendations on this, speak up.
regards
Rahul
7:08 a.m.
On Sat, 2005-11-12 at 16:16 -0500, seth vidal wrote:
As one of the people who has been the 'person' in this conversation,
please allow me to publicly back your position. You are perfectly
correct.
But ...
We have been laboring for months without needed functionality on
fedoraproject.org
_If_ there is an end in site, then great. But I want to know that our
RFEs are not going to sink into a blackhole.
Obviously, you have been a one-person show, which explains much of this.
So, I'm going to pledge my efforts to find you more resources, probably
from within Red Hat. They can work in Python, put up a Python-based
CMS, add functionality to Moin Moin, and support whatever packages into
FE that we need.
If I can do that, can you, Seth, as the fp.o Chief SA, and to everyone
else on this list, make this pledge: to make these additional functions
a high priority? Provide status updates on when they can be completed?
Give us some chances to work with beta versions? Etc.
Here is a quick list:
* Two-way editing of XML in CVS using the Wiki.
* CMS back-end to allow us to have:
- More writers and editors of content using a workflow that forces
approval before content can be posted.
- More Web-based functionality to attract contributors, without
compromising on the extreme value of having all in XML
* The ability to do more automagic with aggregation and building of
content on the fly (RSS feeding into XML templates, or whatever)
Anyone else have anything to add here?
I think we need a separate thread to discuss the functionality of our
CMS, separate from a discussion of specific solutions and languages.
This topic may already be going, but I can't tell because all the
messages seem to be about "[Fedora-websites-list] Re:..." and I haven't
read through them yet. :)
- Karsten
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
8:16 p.m.
On Mon, 2005-11-14 at 05:08 -0800, Karsten Wade wrote:
On Sat, 2005-11-12 at 16:16 -0500, seth vidal wrote:
> http://blog.sethdot.org/index.cgi/263.html
As one of the people who has been the 'person' in this conversation,
please allow me to publicly back your position. You are perfectly
correct.
But ...
We have been laboring for months without needed functionality on
fedoraproject.org
_If_ there is an end in site, then great. But I want to know that our
RFEs are not going to sink into a blackhole.
Obviously, you have been a one-person show, which explains much of this.
So, I'm going to pledge my efforts to find you more resources, probably
from within Red Hat. They can work in Python, put up a Python-based
CMS, add functionality to Moin Moin, and support whatever packages into
FE that we need.
If I can do that, can you, Seth, as the fp.o Chief SA, and to
everyone
else on this list, make this pledge: to make these additional functions
a high priority? Provide status updates on when they can be completed?
Give us some chances to work with beta versions? Etc.
Yes. And as we did with the buildsystem systems those people who are
willing to be security-minded and consistent with their application of
that should and will have access to all aspects of the system.
Here is a quick list:
* Two-way editing of XML in CVS using the Wiki.
* CMS back-end to allow us to have:
- More writers and editors of content using a workflow that forces
approval before content can be posted.
- More Web-based functionality to attract contributors, without
compromising on the extreme value of having all in XML
* The ability to do more automagic with aggregation and building of
content on the fly (RSS feeding into XML templates, or whatever)
I was contacted by the lead of the django project (djangoproject.com) as
a result of my rant in my blog. He's a fedora user and he says he's
interested in helping out. Django is one of the python web toolkits that
is rapidly advancing up the stack of things. I responded to him to join
this list and let's start figuring out what to implement.
-sv
4:18 p.m.
(sorry if you're getting a duplicate message)
On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
Do we have any information on Drupal's security track record?
PHP has
had its fair share of problems.
I'm not meaning to bash on Drupal or PHP, but these are important
concerns. I'm not going to pretend that Python and the Python software
currently in use are perfect, but security was one of the considerations
in their selection. It would be helpful to know how spreadfirefox.com
was compromised. If their failures were problems with Drupal or PHP, or
if they were problems elsewhere would be nice to know. Assuming we'll
not learn that, we need to at least thoroughly investigate the security
records of any software we consider.
Here is a list of security track records for Drupal 4.x from secunia.
http://secunia.com/product/342/
Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in
2005.
Also I would suggest to check out the video with title "100% availability,
scalability
and security with Drupal" from Drupal conference:
http://drupal.org/drupalcon-2005-media
--
Thomas Chung
FedoraNEWS.ORG (http://fedoranews.org)
"..where you can free your knowledge for your free community!"
3:23 p.m.
On Sat, 2005-11-12 at 14:18 -0800, Thomas Chung wrote:
(sorry if you're getting a duplicate message)
On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
> Do we have any information on Drupal's security track record? PHP has
> had its fair share of problems.
>
> I'm not meaning to bash on Drupal or PHP, but these are important
> concerns. I'm not going to pretend that Python and the Python software
> currently in use are perfect, but security was one of the considerations
> in their selection. It would be helpful to know how spreadfirefox.com
> was compromised. If their failures were problems with Drupal or PHP, or
> if they were problems elsewhere would be nice to know. Assuming we'll
> not learn that, we need to at least thoroughly investigate the security
> records of any software we consider.
Here is a list of security track records for Drupal 4.x from secunia.
http://secunia.com/product/342/
Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in
2005.
Thomas, it'd be more interesting to look on the defacement sites and
find out how many sites were defaced running drupal - as that metric
gives us the more worrisome result.
moreover - you need to count every remotely-exploitable issue in php in
a module that drupal uses.
php-xml-rpc, specifically, should be fun to watch.
-sv
6746
days inactive
6749
days old
websites@lists.fedoraproject.org
14 comments
7 participants
participants (7)
-
Karsten Wade -
Patrick W. Barnes -
Rahul Sundaram -
Seth Vidal -
seth vidal -
Thomas Chung -
Yoshihiro Totaka