Php why must your apps suck so?

Toshio Kuratomi a.badger at gmail.com
Thu Nov 1 18:31:31 UTC 2007


Michael Stahnke wrote:
>> identifying and removing security problems?
>>
>> For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
>> zope+plone:
>>                 2007   2006   2005
>>    moin           5      0      0
>>    mediawiki      7      5     12
>>
>>    drupal        36     37      8
>>    zope(plone)  1(+0)  2(+3)  1(+0)
>>
> 
> 
>> Now we all know that numbers can be misleading but still this seems to
>> highlight something for me: there are projects which care about security
>> and there are projects which tack it on as an after thought.  No matter
>> how much work we put into security locally (SELinux, mod_security, code
>> auditing), we don't want to be using a project which belongs to the
>> latter camp.  *Sending security patches upstream doesn't help if
>> upstream will just introduce a new batch of security issues in their
>> next release.*
> 
> Some of the numbers might have to do with install-base size also.  I
> realize you did qualify your statment, but I thought it should be
> called out explicitly.  I know of dozens of mediawiki sites I use
> nearly everyday, whereas moin, I know of one.  Also, why is mediawiki
> ok for 108 and et.redhat.com but not for fedora?  I would think some
> type of review/assesment was done for those sites.
> 

The first sentence of my next paragraph is important here:
'''
PS: Purely on the basis of these numbers I'd be led to believe that 
replacing moin with mediawiki would be acceptable. [...]
'''

;-)

In my mind, I drew the line between drupal and the rest of the projects 
in that group.  In plone+zope's worst year, it still had 7x less CVEs 
while mediawiki is pretty close to moin (1.4x).  I didn't want to write 
it in the paragraph you quoted because making that judgement drags in 
install base (as you mention) which I don't have any numbers for.

-Toshio




More information about the infrastructure mailing list