[development] RFC: letting modules phone home to check for new releases
Darrel O'Pry
dopry at thing.net
Wed Nov 22 22:04:39 UTC 2006
write perms to modules directory from drupal as web server user is
really hard for me to swallow....
any package managers like script should be run from the command line as
a privileged user. should do it's set job and be bullet proof.
On Wed, 2006-11-22 at 11:21 +0100, Oswald Jaskolla wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Wow,
>
> Oswald Jaskolla wrote:
> > I am currently working on a system to automatically install modules.
>
> looks like I really hit a nerve there. So let me clarify a few things:
>
> - - Downloading and installing is only done on explicit request of the
> administrator. I am not Microsoft.
> - - Downloaded files are not less safe because they are downloaded via
> PHP. There is currently no checksumming available and apart from
> developers nobody looks into the code to see if it was tampered with.
> - - There are a lot of drupal installations for development and testing,
> that do not have the same security needs as production sites have.
> - - Typo3 does it.
>
> The only security issue remaining is having write access to the modules
> directory. If the actual downloading and unpacking is done via a one
> time cron job, this cron job could temporarily alter the access mode of
> the target directory, minimizing the time that the directory is writable.
>
> Greetings,
> - --
> Oswald Jaskolla
> Ingenieurbüro Richard Schieferdecker
> Kreuzherrenstraße 2
> 52062 Aachen
>
> Tel.: 02 41 / 409 54 43
> Fax: 02 41 / 477 05 199
> mobil: 01 64 / 941 06 75
> eMail: oswald.jaskolla at schieferdecker.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFZCSquinSHQ/4/T4RAsUmAJ4sTVuIs5eKpQgOCn9sZ6QvOub7YwCeN39w
> pnLSOei74O+fQkwTaHF1sho=
> =aIUQ
> -----END PGP SIGNATURE-----
>
More information about the development
mailing list