[development] Drupal's CVS policies... including 'foriegn' codein TinyMCE module?

Sean Robertson seanr at ngpsoftware.com
Fri May 25 02:26:51 UTC 2007

I agree with you in principle, but the problem is that end users don't 
consider contributed modules to be separate from core.  As more and more 
contributed modules become vulnerable to these kinds of issues, Drupal 
as a whole begins to look bad.  That's the primary reason for the 
restrictions on importing foreign stuff into Drupal CVS.  It annoys the 
hell out of me on occasion, but I can see their point, too.

Tao Starbow wrote:
> I don't understand this argument.  We all already know there are 
> insecure modules available for download from the Drupal CVS. That is 
> just the nature of an unaudited contribution system. It is up to each 
> module maintainer to make their project secure, and we all do it to 
> varying levels of ability and diligence.  If a project maintainer 
> includes 3rd party GPL code in a module, they are putting their personal 
> reputation on the line, exactly the same if they don't include 3rd party 
> code.
> Besides the slashdot article is about insecure WordPress plugins that 
> shipped with the core package.
> Michael Hess wrote:
>>> I would like to see a Drupal-optimized TinyMCE package.  It'd make it a
>>> lot easier on me if it had standard Drupal-related plugins already
>>> installed so I didn't have to do that manually for every site.
>> I was not going to weigh in on this, but I provided a quote to a 
>> client several weeks ago, they made the choose to do the work 
>> themsevles in wordpress.
>> Today I got a call from them, talking 
>> about<http://it.slashdot.org/it/07/05/24/167223.shtml> asking me if I 
>> was still willing to do the work.  I tried to explain to them that 
>> drupal can suffer from the same issues. (They did not really 
>> understand but that is ok for the purpose of this email)
>> If we start allowing chunks of code in, I think it would end up being 
>> a huge security issue for drupal over all.
>> If a site gets compromised, it won't be X module, that was a security 
>> issue, it will be drupal that is the security issue.
>> just my 2 cents,
>> Michael

Sean Robertson
Web Developer
NGP Software, Inc.
seanr at ngpsoftware.com
(202) 686-9330

More information about the development mailing list