[development] RFC: letting modules phone home to check for new releases

Larry Garfield larry at garfieldtech.com
Wed Nov 22 23:45:22 UTC 2006 

On Wednesday 22 November 2006 17:33, Darren Oh wrote:
> On Nov 22, 2006, at 5:04 PM, Darrel O'Pry wrote:
> > write perms to modules directory from drupal as web server user is
> > really hard for me to swallow....
> >
> > any package managers like script should be run from the command
> > line as
> > a privileged user. should do it's set job and be bullet proof.
>
> Let's not forget that very few users use the command line to work
> with Drupal. Let's also not make unnecessary assumptions about how an
> automated module install or upgrade would work. The security issues
> will be worked out if people share more ideas for how it can be done
> than for how it can't be done.

I don't see how it can be done any other way.

The apache user should NOT have write access to code files.

To upgrade modules, you need write access to code files.

Therefore, you either need to temporarily give apache write access to code 
files (which you can't do from within a web app running in apache, obviously) 
or run the upgrade as a user that already has write access to them.  

The Drupal 5 installer already says "please manually give apache write access" 
before it runs (something you need a command line for, or a toggle in an FTP 
client) and "hey, lock down access now" afterward for settings.php.  That 
kinda works for one file, but for an entire file tree I don't see how that 
would work.

> Oswald was asking to collaborate. The negative reactions give the
> impression that some people would rather work on their own. Not very
> open source. Am I missing some history here?

I think the "history" is "we're already working on it in way X, it's a hard 
problem, please don't confuse us with way Y that has problems that way X is 
already trying to address".  Note that I am not part of the "we" in that 
sentence; I am just summarizing what I've seen said in the past year. :-)

-- 
Larry Garfield			AIM: LOLG42
larry at garfieldtech.com		ICQ: 6817012

"If nature has made any one thing less susceptible than all others of 
exclusive property, it is the action of the thinking power called an idea, 
which an individual may exclusively possess as long as he keeps it to 
himself; but the moment it is divulged, it forces itself into the possession 
of every one, and the receiver cannot dispossess himself of it."  -- Thomas 
Jefferson

More information about the development mailing list