[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code

Gerhard Killesreiter gerhard at killesreiter.de
Thu Jul 27 01:50:37 UTC 2006

James Walker wrote:
> On 26-Jul-06, at 7:06 PM, Larry Garfield wrote:
>> I recommend Debian upgrades its Drupal packages, too.  I understand 
>> Sarge,
>> but why does Sid include 4.5.x?
> AFAIK, there isn't an active Debian maintainer for Drupal... killes?

Ok, here is it again, the long, sad story of the Drupal debian package...

Once upon a time some guy named Hugo came along and asked "hey, I'd like 
to make a .deb from Drupal." and Dries, being nice, said "sure, why 
not?". Hugo kept producing Debian packages for two (?) more releases and 
then vanished from the face of the earth. Meanwhile, Drupal continued 
its fast race towards world domination. But there were still some people 
  using the ill fated debian package and asked support questions. This 
annoyed me a great deal. So I spoke to my friend Hilko who after some 
time released a new debian package and kept doing that for a while. This 
Deban package of his is now in the stable debian release and people seem 
to see a need to add security fixes. Due to debian's procedures, the 
package in the stable release can't be upgraded to 4.7.

Hilko doesn't really like PHP applications since he is a Perl coder, he 
also doesn't use Drupal himself. So he abandoned the package several 
weeks ago. There seem to be some people who want to take over as 
maintainers, but I really hope they find some better way to spend their 
spare time and let the package die.

I repeat my opinion: Due to the faster release cycle, Drupal isn't 
something that should be part of a software distribution which has a 
long release cycle.


More information about the development mailing list