[development] Core drupal.module moved to contrib site_network.module

Derek Wright drupal at dwwright.net
Tue Oct 9 16:05:23 UTC 2007

On Oct 9, 2007, at 8:45 AM, Gerhard Killesreiter wrote:

> The question is: do we want to? People are using the password to  
> our site on some potentially insecure sites.


> I think it is desirable for d.o to stop using drupal.module as soon  
> as feasible.


> Read: As soon as g.d.o has fixed the issue. We should be able to  
> add missing email address by doing some syncronizing between d.o  
> and g.d.o's databases.

Depending on the timing of it, I think this might be too  
aggressive.   We've gone N years with this security problem, another  
month won't kill anyone.  I think we need a front page post about it  
with a specific deadline at which @drupal.org logins on other sites  
will no longer work.  I think we should give people at least a month  
to transition, upgrade, whatever they have to do.  Plus, we should  
attempt to have d.o as an OpenID provider ASAP (which doesn't require  
putting the OpenID server code in core for D6, mind you), ideally as  
part of the info in that front page post, encouraging people to use  
that instead...


More information about the development mailing list