[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages
fix execution of arbitrary web script code
Bèr Kessels
ber at webschuur.com
Thu Jul 27 09:54:14 UTC 2006
Op donderdag 27 juli 2006 04:49, schreef Khalid B:
> Since Drupal is a) fast moving, b) composed of core and myriad of
> contribs, c) has a web interface for install/update and not a command
> line one, it is difficult to have a proper Debian package that preserves
> the user's data integrity as well as keep them up to date with all the
> core and contrib they may have.
We are forgetting that a LOT of people (should) not want to keep up to date.
Just ask yourselve this question about a system you are not as closed involved
in as Drupal: "Am I really interested in the Very Latest Features of
phpmyadmin?". My answer is no. If I (would*) use phpmyadmin I want three
things:
* It must Just Work (bugfree)
* It must be secure.
* It should meet my requirements (IE do what I need it for)
If, in ten months from now a new debian comes available, and features a new
PHPmyAdmin branch, i'll be happy, and probably use the new features gladly.
But for now, I (would) run the most stable -acc to debian- version. And thatt
one has worked fine for me all along: Why go trough all the hassle of New And
Improved Features, concepts and all that, when the current system works?
Would you really deploy MySQL 5 already? Only to get features you have been
doing fine without for ages?
We (Drupalleers) seem to forget that people might not be that much interested
in our improvements, but want their website to continue running the coming
years. And frankly, in my branch/niche/userbase, being middle and small
companies with a need for "a website" aka brochureware, this is all people
want. People see Drupal as a tool just like we see all other software as a
tool.
If you were happy with 4.6 by the time you released your site on it, why would
you want to go to 4.7? Don't forget that continuation costs a certain price
per month/year/week, but that upgrading requires big investments every time.
If you have built a Drupal site for €9000 (which meets the requirements of
the client) and within four months that client needs to invest another €5000,
just to get New Stuff they never asked for in the first place, is IMO wrong.
To summarise: There are a lot of valid reasons for a stable, yet oldish,
reliable, yet not cutting edge, and know-what-to-expect yet not with the
latest Schmupal, release system. The fact a 4.5* debian version is somehow
maintained prooves this fact.
Bèr
* I dont actually use phpmyadmin, on my own debian server. But this was the
closest and best example I can find.
More information about the development
mailing list