[development] Think there's a security problem in your module? Here's what to do.

Khalid Baheyeldin kb at 2bits.com
Fri Jan 18 04:28:50 UTC 2008

> Given our distro system, if we're really worried about hackers
> sniffing commit logs, I would rather remove anonymous CVS access.

We can't do that. Many users rely on cvs access to deploy sites.

We can in theory shut that down. But what about http://drupal.org/cvs?

That way you stop the vulnerability sniffing all together.  Like I
> said I know I'm in the minority here and don't really expect to
> change your mind on this one.

If we shut down both, then it is no longer an open source project.

Didn't see any major project shut down like that.

> I been involved with enough volunteer organizations to know that it's
> always an uphill battle to manage workload.  I don't begrudge that,
> but I try and keep my expectations tempered.
> I really hope no-one on the security team is offended.  I mean no
> such offense. I really do respect and appreciate the service that
> they provide and yes, I do consult with them when I do my security
> related fixes.

No offense taken at all, from you or from others. We are always open
to suggestions (and even recruiting for the security team!)
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080117/b17e6072/attachment.htm 

More information about the development mailing list