[development] RFC: letting modules phone home to check for new releases

Oswald Jaskolla oswald.jaskolla at schieferdecker.com
Wed Nov 22 10:21:30 UTC 2006

Hash: SHA1


Oswald Jaskolla wrote:
> I am currently working on a system to automatically install modules.

looks like I really hit a nerve there. So let me clarify a few things:

- - Downloading and installing is only done on explicit request of the
  administrator. I am not Microsoft.
- - Downloaded files are not less safe because they are downloaded via
  PHP. There is currently no checksumming available and apart from
  developers nobody looks into the code to see if it was tampered with.
- - There are a lot of drupal installations for development and testing,
  that do not have the same security needs as production sites have.
- - Typo3 does it.

The only security issue remaining is having write access to the modules
directory. If the actual downloading and unpacking is done via a one
time cron job, this cron job could temporarily alter the access mode of
the target directory, minimizing the time that the directory is writable.

- --
Oswald Jaskolla
Ingenieurbüro Richard Schieferdecker
Kreuzherrenstraße 2
52062 Aachen

Tel.: 02 41 / 409 54 43
Fax: 02 41 / 477 05 199
mobil: 01 64 / 941 06 75
eMail: oswald.jaskolla at schieferdecker.com
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the development mailing list