[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages
fix execution of arbitrary web script code
Gerhard Killesreiter
gerhard at killesreiter.de
Thu Jul 27 01:50:37 UTC 2006
James Walker wrote:
>
> On 26-Jul-06, at 7:06 PM, Larry Garfield wrote:
>
>> I recommend Debian upgrades its Drupal packages, too. I understand
>> Sarge,
>> but why does Sid include 4.5.x?
>>
>
> AFAIK, there isn't an active Debian maintainer for Drupal... killes?
Ok, here is it again, the long, sad story of the Drupal debian package...
Once upon a time some guy named Hugo came along and asked "hey, I'd like
to make a .deb from Drupal." and Dries, being nice, said "sure, why
not?". Hugo kept producing Debian packages for two (?) more releases and
then vanished from the face of the earth. Meanwhile, Drupal continued
its fast race towards world domination. But there were still some people
using the ill fated debian package and asked support questions. This
annoyed me a great deal. So I spoke to my friend Hilko who after some
time released a new debian package and kept doing that for a while. This
Deban package of his is now in the stable debian release and people seem
to see a need to add security fixes. Due to debian's procedures, the
package in the stable release can't be upgraded to 4.7.
Hilko doesn't really like PHP applications since he is a Perl coder, he
also doesn't use Drupal himself. So he abandoned the package several
weeks ago. There seem to be some people who want to take over as
maintainers, but I really hope they find some better way to spend their
spare time and let the package die.
I repeat my opinion: Due to the faster release cycle, Drupal isn't
something that should be part of a software distribution which has a
long release cycle.
Cheers,
Gerhard
More information about the development
mailing list