I agree with you in principle, but the problem is that end users don't consider contributed modules to be separate from core. As more and more contributed modules become vulnerable to these kinds of issues, Drupal as a whole begins to look bad. That's the primary reason for the restrictions on importing foreign stuff into Drupal CVS. It annoys the hell out of me on occasion, but I can see their point, too. Tao Starbow wrote:
I don't understand this argument. We all already know there are insecure modules available for download from the Drupal CVS. That is just the nature of an unaudited contribution system. It is up to each module maintainer to make their project secure, and we all do it to varying levels of ability and diligence. If a project maintainer includes 3rd party GPL code in a module, they are putting their personal reputation on the line, exactly the same if they don't include 3rd party code.
Besides the slashdot article is about insecure WordPress plugins that shipped with the core package.
Michael Hess wrote:
I would like to see a Drupal-optimized TinyMCE package. It'd make it a lot easier on me if it had standard Drupal-related plugins already installed so I didn't have to do that manually for every site.
I was not going to weigh in on this, but I provided a quote to a client several weeks ago, they made the choose to do the work themsevles in wordpress.
Today I got a call from them, talking about<http://it.slashdot.org/it/07/05/24/167223.shtml> asking me if I was still willing to do the work. I tried to explain to them that drupal can suffer from the same issues. (They did not really understand but that is ok for the purpose of this email)
If we start allowing chunks of code in, I think it would end up being a huge security issue for drupal over all.
If a site gets compromised, it won't be X module, that was a security issue, it will be drupal that is the security issue.
just my 2 cents, Michael
-- Sean Robertson Web Developer NGP Software, Inc. seanr@ngpsoftware.com (202) 686-9330 http://www.ngpsoftware.com