[development] RFC: letting modules phone home to check for new releases

Boris Mann boris at bryght.com
Sat Nov 18 19:04:24 UTC 2006

On 11/17/06, Derek Wright <drupal at dwwright.net> wrote:
> i *really* want to get this data into the .info files ASAP so that
> there aren't many 5.x contribs out in the wild that are missing it.
> however, i don't want to just unilaterally decide the fields and
> format of the values without any input from the rest of you.  so,
> please comment ASAP here:
> http://drupal.org/node/94154

Adding the extra information is a great idea...we have our own little
repository / update system, and with a different "home", different sites
could, for instance, keep different distributions up to date.

HOWEVER, the phone home and XML-RPC stuff makes me *very* nervous from a
security perspective. I would want to have some real hard core folks examine
and document information flow end to end and looking for vulnerabilities --
ideally some external folks as well. We will need to review all
Drupal.orgprocesses as well as the receiving code.

There has been other talk about auto-downloading various information. Same
comment there -- huge security risk, needs 100x as much review, and even
then I'm nervous about it....

Boris Mann
Vancouver 778-896-2747
San Francisco 415-367-3595
Skype borismann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20061118/287b12d5/attachment.htm 

More information about the development mailing list