Op dinsdag 1 augustus 2006 19:20, schreef Morbus Iff:
So, as I was about to report a SQL injection vulnerability in LinksDB, I realized I was looking at only the code in HEAD, and not in the Drupal 4.7 branch. That code is marginally better, so I'll retract some, but not all, of my earlier comments and scorn.
Though his wording is rather harsh, there is a valid point. But we must realize that such a rant is possible for, I think, up to 1/6th of the modules in contribs. There are a serious lot of modules that range from plain insecure to ReallyDon'tUseOnYourSite. Luckily hardly any of these are actually released. Or are released with big fat "alpha code" Don't use it. On top of that, the snippets repository has some rather ugly or nasty (though I found no ones with security issues!) "cut n paste" examples too. If we - As Drupal- want to maintain high standards, I suggest we expand our "quality" beyond just core. For 90% of the users snippets == Drupal. for 96% contribs === Drupal. Having core "perfect" but the rest low standard would be an option if that core could "Do Anything". But for that to happen, you need the contribs around. I had a long discussion lately with a senior software developer whom came to me with the question "why do people actually like Drupal? Its code/products/online help ranges from utter cr## to very nice, with a VERY heavy weight on the cr## part." After wich I had to explain that Drupal == core. And that all the rest is not "really" Drupal. The fact that people cannot see trough that, cannot see that Drupal is actually only limited to the core is non-communicatable. After that discussion, I wrote the planet blog post about this too, in which I explain how we could solve this. »» http://webschuur.com/node/640 To illustrate my point: If you talk about Linux to a friend, do you tell her that linux can't do anything at all? That you might be able to get a textfile together using some of the gnutools like awk and set, but that that is about it? Off course not! If you talk about linux you point out how pretty KDE can look, or how usable/easy Gnome is. How feature rich the office suits are! You tell that linux has thousands of high quality apps available. Etc etc. We do the same with Drupal. We talk about Drupal as if you can create a wiki with it. As if it can compete with weblog tools as Wordpress. As if it has captcha, buddylists, send-a-friend, advanced content permissions, image features, etc. Which is only true, if you talk about Drupal as Drupal + contribs. Bèr -who is aware that his contribs also range fom cr## to, eeuuh - Kessels