[development] Think there's a security problem in your module? Here's what to do.

Khalid Baheyeldin kb at 2bits.com
Fri Jan 18 04:28:50 UTC 2008


> Given our distro system, if we're really worried about hackers
> sniffing commit logs, I would rather remove anonymous CVS access.


We can't do that. Many users rely on cvs access to deploy sites.

We can in theory shut that down. But what about http://drupal.org/cvs?

That way you stop the vulnerability sniffing all together.  Like I
> said I know I'm in the minority here and don't really expect to
> change your mind on this one.
>

If we shut down both, then it is no longer an open source project.

Didn't see any major project shut down like that.


> I been involved with enough volunteer organizations to know that it's
> always an uphill battle to manage workload.  I don't begrudge that,
> but I try and keep my expectations tempered.
>
> I really hope no-one on the security team is offended.  I mean no
> such offense. I really do respect and appreciate the service that
> they provide and yes, I do consult with them when I do my security
> related fixes.


No offense taken at all, from you or from others. We are always open
to suggestions (and even recruiting for the security team!)
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080117/b17e6072/attachment.htm 


More information about the development mailing list