[Fwd: Re: CMS Option: Zikula]

[Stephen John Smoogen]

2009/1/29 Toshio Kuratomi <a.badger at gmail.com>:
> I sent this to the docs list when they started considering Zikula.  Now
> that we're setting up a test instance and getting some people on the
> infrastructure team to work on it it seems like a good point in time to
> forward it here.
>
> -------- Original Message --------
> Date: Fri, 23 Jan 2009 16:55:03 -0800
> From: Toshio Kuratomi <a.badger at gmail.com>
> To: fedora-docs-list at redhat.com
>
> Paul W. Frields wrote:
>> I think we should also be considering the other major players in the
>> CMS game, if there are people available to deploy and maintain them.
>> Drupal and Joomla! immediately come to mind, the latter especially
>> because it actually has some DocBook XML support.  Features aren't
>> particularly compelling, though, if we have no one around to help with
>> the maintenance.
>>
> One of the things I didn't know until I did some browsing around their
> website is that Zikula started off as PostNuke but that they changed the
> name in June.  So they are a long term player in the CMS market.
>
>> None of this has any bearing on the quality of Zikula, which I'm sure
>> is excellent.
>>
> I was impressed by a few of the things I've learned since this morning
> :-)  The answers to how proactive the security is was a nice change from
> the usual thoughts I've seen::
>   https://fedoraproject.org/wiki/Zikula_IRC_Chat_Interview#t12:20
>
> Here's my naive search of cve.mitre.org for issues reported in 2008.
> Note that some people would say to exclude plugins from this but my view
> is that we're going to be running plugins as part of our deployment and
> we'll want to know if we can expand our capabilities by pulling in
> functionality via plugins without compromising security.  So knowing
> this does a *little* towards understanding whether the Core provides an
> API for writing secure plugins and the plugin community is security
> minded as well as Core developers.  And like I say, this is naive :-)
>
> 91 Joomla -- Lots of plugins a few in core
> 79 Drupal -- Lots of plugins a few in core
> 60 Wordpress -- Lots of plugins, a few in core
> 53 Mambo --Lots of plugins, at least one in core
> 4 zikula + postnuke -- 1 in Core, 3 in plugins

That sounds awfully low for Postnuke. Doing a quick google search of
postnuke security fixes and just looking at different releases.. there
should be about 20 with some amount in core and a lot in plugins. My
information about the current state of PostNuke is not good. I am
betting that they are doing a lot more for security but a number of 4
problems just was too low for the amount of systems I have had to
'clean' since 2002.


-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"