I've been lurking for awhile, but haven't thrown my hat into the ring
for any projects yet. I'd be willing to help with Drupal or
Mediawiki, both of which I run internally for my present employer.
Matt Pusateri
On 11/1/07, Toshio Kuratomi <a.badger(a)gmail.com> wrote:
Michael Stahnke wrote:
>> identifying and removing security problems?
>>
>> For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
>> zope+plone:
>> 2007 2006 2005
>> moin 5 0 0
>> mediawiki 7 5 12
>>
>> drupal 36 37 8
>> zope(plone) 1(+0) 2(+3) 1(+0)
>>
>
>
>> Now we all know that numbers can be misleading but still this seems to
>> highlight something for me: there are projects which care about security
>> and there are projects which tack it on as an after thought. No matter
>> how much work we put into security locally (SELinux, mod_security, code
>> auditing), we don't want to be using a project which belongs to the
>> latter camp. *Sending security patches upstream doesn't help if
>> upstream will just introduce a new batch of security issues in their
>> next release.*
>
> Some of the numbers might have to do with install-base size also. I
> realize you did qualify your statment, but I thought it should be
> called out explicitly. I know of dozens of mediawiki sites I use
> nearly everyday, whereas moin, I know of one. Also, why is mediawiki
> ok for 108 and
et.redhat.com but not for fedora? I would think some
> type of review/assesment was done for those sites.
>
The first sentence of my next paragraph is important here:
'''
PS: Purely on the basis of these numbers I'd be led to believe that
replacing moin with mediawiki would be acceptable. [...]
'''
;-)
In my mind, I drew the line between drupal and the rest of the projects
in that group. In plone+zope's worst year, it still had 7x less CVEs
while mediawiki is pretty close to moin (1.4x). I didn't want to write
it in the paragraph you quoted because making that judgement drags in
install base (as you mention) which I don't have any numbers for.
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list