[development] Drupal's CVS policies... including 'foriegn' codein TinyMCE module?

Tao Starbow starbow at citris-uc.org
Thu May 24 23:55:28 UTC 2007


I don't understand this argument.  We all already know there are 
insecure modules available for download from the Drupal CVS. That is 
just the nature of an unaudited contribution system. It is up to each 
module maintainer to make their project secure, and we all do it to 
varying levels of ability and diligence.  If a project maintainer 
includes 3rd party GPL code in a module, they are putting their personal 
reputation on the line, exactly the same if they don't include 3rd party 
code.
 
Besides the slashdot article is about insecure WordPress plugins that 
shipped with the core package.

Michael Hess wrote:
>> I would like to see a Drupal-optimized TinyMCE package.  It'd make it a
>> lot easier on me if it had standard Drupal-related plugins already
>> installed so I didn't have to do that manually for every site.
>
> I was not going to weigh in on this, but I provided a quote to a 
> client several weeks ago, they made the choose to do the work 
> themsevles in wordpress.
>
> Today I got a call from them, talking 
> about<http://it.slashdot.org/it/07/05/24/167223.shtml> asking me if I 
> was still willing to do the work.  I tried to explain to them that 
> drupal can suffer from the same issues. (They did not really 
> understand but that is ok for the purpose of this email)
>
> If we start allowing chunks of code in, I think it would end up being 
> a huge security issue for drupal over all.
>
> If a site gets compromised, it won't be X module, that was a security 
> issue, it will be drupal that is the security issue.
>
> just my 2 cents,
> Michael
>


More information about the development mailing list