[development] RFC: letting modules phone home to check for new releases
drupal at dwwright.net
Wed Nov 22 01:25:11 UTC 2006
On Nov 21, 2006, at 10:13 AM, Oswald Jaskolla wrote:
> So, what do you think?
i hope you don't take this personally, by i'm *very* opposed to the
kind of system you're building.
the security implications of giving your website permission to
overwrite itself automatically are *HORRIFYING*. i'd never install
such a thing, and i'd never advocate anyone else should install such
the kind of system i'm building is just an automated way to tell the
human site admins: "your code is out of date" (and if true, "and
insecure") and nag them mercilessly until they upgrade the stale
module(s) to the latest, secure version(s). it's still the human's
task to perform the upgrade itself.
this manual upgrade could itself be further automated, but a high-
privileged admin user must run this automated script themselves, just
like they have to run update.php themselves. building and providing
a tool that can "do it all" for you is asking for security hell, and
therefore defeats the purpose of what i'm trying to accomplish (make
it easier and therefore more likely for drupal sites to remain secure).
anyway, i'm willing to coordinate, and further discuss design/
implementation issues, but i can't emphasize enough how bad i think a
fully-automated system for upgrading a drupal site would be.
maybe i'm misunderstanding your design/proposal, but after re-reading
your message a few times, it's pretty clear you're marching down the
path towards what i'd consider "the dark side". ;)
More information about the development