I've been lurking for awhile, but haven't thrown my hat into the ring for any projects yet. I'd be willing to help with Drupal or Mediawiki, both of which I run internally for my present employer. Matt Pusateri On 11/1/07, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > Michael Stahnke wrote: > >> identifying and removing security problems? > >> > >> For #1, compare the number of CVEs_ in mediawiki to moin and drupal to > >> zope+plone: > >> 2007 2006 2005 > >> moin 5 0 0 > >> mediawiki 7 5 12 > >> > >> drupal 36 37 8 > >> zope(plone) 1(+0) 2(+3) 1(+0) > >> > > > > > >> Now we all know that numbers can be misleading but still this seems to > >> highlight something for me: there are projects which care about security > >> and there are projects which tack it on as an after thought. No matter > >> how much work we put into security locally (SELinux, mod_security, code > >> auditing), we don't want to be using a project which belongs to the > >> latter camp. *Sending security patches upstream doesn't help if > >> upstream will just introduce a new batch of security issues in their > >> next release.* > > > > Some of the numbers might have to do with install-base size also. I > > realize you did qualify your statment, but I thought it should be > > called out explicitly. I know of dozens of mediawiki sites I use > > nearly everyday, whereas moin, I know of one. Also, why is mediawiki > > ok for 108 and et.redhat.com but not for fedora? I would think some > > type of review/assesment was done for those sites. > > > > The first sentence of my next paragraph is important here: > ''' > PS: Purely on the basis of these numbers I'd be led to believe that > replacing moin with mediawiki would be acceptable. [...] > ''' > > ;-) > > In my mind, I drew the line between drupal and the rest of the projects > in that group. In plone+zope's worst year, it still had 7x less CVEs > while mediawiki is pretty close to moin (1.4x). I didn't want to write > it in the paragraph you quoted because making that judgement drags in > install base (as you mention) which I don't have any numbers for. > > -Toshio > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
