[development] RFC: letting modules phone home to check for new releases
oswald.jaskolla at schieferdecker.com
Wed Nov 22 10:21:30 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Oswald Jaskolla wrote:
> I am currently working on a system to automatically install modules.
looks like I really hit a nerve there. So let me clarify a few things:
- - Downloading and installing is only done on explicit request of the
administrator. I am not Microsoft.
- - Downloaded files are not less safe because they are downloaded via
PHP. There is currently no checksumming available and apart from
developers nobody looks into the code to see if it was tampered with.
- - There are a lot of drupal installations for development and testing,
that do not have the same security needs as production sites have.
- - Typo3 does it.
The only security issue remaining is having write access to the modules
directory. If the actual downloading and unpacking is done via a one
time cron job, this cron job could temporarily alter the access mode of
the target directory, minimizing the time that the directory is writable.
Ingenieurbüro Richard Schieferdecker
Tel.: 02 41 / 409 54 43
Fax: 02 41 / 477 05 199
mobil: 01 64 / 941 06 75
eMail: oswald.jaskolla at schieferdecker.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the development