[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code

Neil McGovern neilm at debian.org
Fri Jul 28 19:43:02 UTC 2006

On Thu, Jul 27, 2006 at 02:12:13PM -0400, Darrel O'Pry wrote:
> On Thu, 2006-07-27 at 09:56 +0100, Neil McGovern wrote:
> > On Wed, Jul 26, 2006 at 09:25:27PM -0400, James Walker wrote:
> > > 
> > > AFAIK, there isn't an active Debian maintainer for Drupal... killes?
> > 
> > That would be me. I also produced the security update.
> > 
> > Further info on plans with regard to drupal can be found at
> > http://lists.alioth.debian.org/pipermail/pkg-drupal-devel/2006-July/000005.html
> > 
> > Sid should include 4.7.2 shortly, which should propogate to etch in time
> > for the release, and I intend to remove the 2.5 packages as soon as
> > possible.
> I'm personally of the opinion that php apps shouldn't generally be
> packaged by distros because of the upgrade issues and the fact that it
> isn't really a compiled binary aka not dependent on the rest of the
> distributions libraries. But splitting the packages  by version and
> letting the distro's users deal with the upgrade path seems like a good
> idea.

One of the advantages of packaging WebApps by distributions is the
security support that is provided with it. There are additional problems
associated with WebApps, and I'm a co-author on the Debian WebApps
Policy draft[0] and gave a BoF[1] at DebConf[2] about it.


[0] http://webapps-common.alioth.debian.org/draft/
[1] http://tinyurl.com/fwqhj (ogg thedora video)
[2] The annual debian developer's conference
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3

More information about the development mailing list