Michael Stahnke wrote:
identifying and removing security problems?
For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
zope+plone:
2007 2006 2005
moin 5 0 0
mediawiki 7 5 12
drupal 36 37 8
zope(plone) 1(+0) 2(+3) 1(+0)
Now we all know that numbers can be misleading but still this seems to
highlight something for me: there are projects which care about security
and there are projects which tack it on as an after thought. No matter
how much work we put into security locally (SELinux, mod_security, code
auditing), we don't want to be using a project which belongs to the
latter camp. *Sending security patches upstream doesn't help if
upstream will just introduce a new batch of security issues in their
next release.*
Some of the numbers might have to do with install-base size also. I
realize you did qualify your statment, but I thought it should be
called out explicitly. I know of dozens of mediawiki sites I use
nearly everyday, whereas moin, I know of one. Also, why is mediawiki
ok for 108 and et.redhat.com but not for fedora? I would think some
type of review/assesment was done for those sites.
The first sentence of my next paragraph is important here:
'''
PS: Purely on the basis of these numbers I'd be led to believe that
replacing moin with mediawiki would be acceptable. [...]
'''
;-)
In my mind, I drew the line between drupal and the rest of the projects
in that group. In plone+zope's worst year, it still had 7x less CVEs
while mediawiki is pretty close to moin (1.4x). I didn't want to write
it in the paragraph you quoted because making that judgement drags in
install base (as you mention) which I don't have any numbers for.
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list