Php why must your apps suck so?
Toshio Kuratomi
a.badger at gmail.com
Thu Nov 1 18:31:31 UTC 2007
Michael Stahnke wrote:
>> identifying and removing security problems?
>>
>> For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
>> zope+plone:
>> 2007 2006 2005
>> moin 5 0 0
>> mediawiki 7 5 12
>>
>> drupal 36 37 8
>> zope(plone) 1(+0) 2(+3) 1(+0)
>>
>
>
>> Now we all know that numbers can be misleading but still this seems to
>> highlight something for me: there are projects which care about security
>> and there are projects which tack it on as an after thought. No matter
>> how much work we put into security locally (SELinux, mod_security, code
>> auditing), we don't want to be using a project which belongs to the
>> latter camp. *Sending security patches upstream doesn't help if
>> upstream will just introduce a new batch of security issues in their
>> next release.*
>
> Some of the numbers might have to do with install-base size also. I
> realize you did qualify your statment, but I thought it should be
> called out explicitly. I know of dozens of mediawiki sites I use
> nearly everyday, whereas moin, I know of one. Also, why is mediawiki
> ok for 108 and et.redhat.com but not for fedora? I would think some
> type of review/assesment was done for those sites.
>
The first sentence of my next paragraph is important here:
'''
PS: Purely on the basis of these numbers I'd be led to believe that
replacing moin with mediawiki would be acceptable. [...]
'''
;-)
In my mind, I drew the line between drupal and the rest of the projects
in that group. In plone+zope's worst year, it still had 7x less CVEs
while mediawiki is pretty close to moin (1.4x). I didn't want to write
it in the paragraph you quoted because making that judgement drags in
install base (as you mention) which I don't have any numbers for.
-Toshio
More information about the Fedora-infrastructure-list
mailing list