Websites running on Drupal

[seth vidal]

> So, would that be the same spreadfirefox.com that has been compromised
> three time in the last few months?  The same one that required users to
> keep changing their might-have-been-compromised information?  Kind of
> leaves me curious...
> 
> Do we have any information on Drupal's security track record?  PHP has
> had its fair share of problems.
> 

Drupal has had a fair share of issues. The xml-rpc issues hit it hard
and b/c there are an ever-growing set of modules for drupal, which, of
course, we'd want to use ALL of - then we'll have to audit more and more
code that is OUTSIDE of the base package. Audits that we have no one to
conduct or focus on, in fact.

DANGEROUS behavior is what that is.

> I'm not meaning to bash on Drupal or PHP, but these are important
> concerns.  I'm not going to pretend that Python and the Python software
> currently in use are perfect, but security was one of the considerations
> in their selection.  It would be helpful to know how spreadfirefox.com
> was compromised.  If their failures were problems with Drupal or PHP, or
> if they were problems elsewhere would be nice to know.  Assuming we'll
> not learn that, we need to at least thoroughly investigate the security
> records of any software we consider.

http://blog.sethdot.org/index.cgi/263.html

The ubuntu people have had a good deal of success focusing their efforts
on a single dynamic typed and web-interfacing language.

for proof of this look at launchpad.net, ubuntulinux.org, their wiki,
etc etc etc

-sv