Php why must your apps suck so?

Flatfender flatfender at gmail.com
Thu Nov 1 19:24:06 UTC 2007 

I've been lurking for awhile, but haven't thrown my hat into the ring
for any projects yet.  I'd be willing to help with Drupal or
Mediawiki, both of which I run internally for my present employer.

Matt Pusateri

On 11/1/07, Toshio Kuratomi <a.badger at gmail.com> wrote:
> Michael Stahnke wrote:
> >> identifying and removing security problems?
> >>
> >> For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
> >> zope+plone:
> >>                 2007   2006   2005
> >>    moin           5      0      0
> >>    mediawiki      7      5     12
> >>
> >>    drupal        36     37      8
> >>    zope(plone)  1(+0)  2(+3)  1(+0)
> >>
> >
> >
> >> Now we all know that numbers can be misleading but still this seems to
> >> highlight something for me: there are projects which care about security
> >> and there are projects which tack it on as an after thought.  No matter
> >> how much work we put into security locally (SELinux, mod_security, code
> >> auditing), we don't want to be using a project which belongs to the
> >> latter camp.  *Sending security patches upstream doesn't help if
> >> upstream will just introduce a new batch of security issues in their
> >> next release.*
> >
> > Some of the numbers might have to do with install-base size also.  I
> > realize you did qualify your statment, but I thought it should be
> > called out explicitly.  I know of dozens of mediawiki sites I use
> > nearly everyday, whereas moin, I know of one.  Also, why is mediawiki
> > ok for 108 and et.redhat.com but not for fedora?  I would think some
> > type of review/assesment was done for those sites.
> >
>
> The first sentence of my next paragraph is important here:
> '''
> PS: Purely on the basis of these numbers I'd be led to believe that
> replacing moin with mediawiki would be acceptable. [...]
> '''
>
> ;-)
>
> In my mind, I drew the line between drupal and the rest of the projects
> in that group.  In plone+zope's worst year, it still had 7x less CVEs
> while mediawiki is pretty close to moin (1.4x).  I didn't want to write
> it in the paragraph you quoted because making that judgement drags in
> install base (as you mention) which I don't have any numbers for.
>
> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>

More information about the infrastructure mailing list