[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code

Bèr Kessels ber at webschuur.com
Thu Jul 27 09:54:14 UTC 2006


Op donderdag 27 juli 2006 04:49, schreef Khalid B:
> Since Drupal is a) fast moving, b) composed of core and myriad of
> contribs, c) has a web interface for install/update and not a command
> line one, it  is difficult to have a proper Debian package that preserves
> the user's data integrity as well as keep them up to date with all the
> core and contrib they may have.

We are forgetting that a LOT of people (should) not want to keep up to date. 

Just ask yourselve this question about a system you are not as closed involved 
in as Drupal: "Am I really interested in the Very Latest Features of 
phpmyadmin?". My answer is no. If I (would*) use phpmyadmin I want three 
things:
 * It must Just Work (bugfree)
 * It must be secure.
 * It should meet my requirements (IE do what I need it for)

If, in ten months from now a new debian comes available, and features a new 
PHPmyAdmin branch, i'll be happy, and probably use the new features gladly. 
But for now, I (would) run the most stable -acc to debian- version. And thatt 
one has worked fine for me all along: Why go trough all the hassle of New And 
Improved Features, concepts and all that, when the current system works?
Would you really deploy MySQL 5 already? Only to get features you have been 
doing fine without for ages?

We (Drupalleers) seem to forget that people might not be that much interested 
in our improvements, but want their website to continue running the coming 
years. And frankly, in my branch/niche/userbase, being middle and small 
companies with a need for "a website" aka brochureware, this is all people 
want. People see Drupal as a tool just like we see all other software as a 
tool.
If you were happy with 4.6 by the time you released your site on it, why would 
you want to go to 4.7? Don't forget that continuation costs a certain price 
per month/year/week, but that upgrading requires big investments every time. 
If you have built a Drupal site for €9000 (which meets the requirements of 
the client) and within four months that client needs to invest another €5000, 
just to get New Stuff they never asked for in the first place, is IMO wrong. 

To summarise: There are a lot of valid reasons for a stable, yet oldish, 
reliable, yet not cutting edge, and know-what-to-expect yet not with the 
latest Schmupal, release system. The fact a 4.5* debian version is somehow 
maintained prooves this fact.

Bèr

* I dont actually use phpmyadmin, on my own debian server. But this was the 
closest and best example I can find.


More information about the development mailing list