[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Php why must your apps suck so?



Michael Stahnke wrote:
identifying and removing security problems?

For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
zope+plone:
                2007   2006   2005
   moin           5      0      0
   mediawiki      7      5     12

   drupal        36     37      8
   zope(plone)  1(+0)  2(+3)  1(+0)



Now we all know that numbers can be misleading but still this seems to
highlight something for me: there are projects which care about security
and there are projects which tack it on as an after thought.  No matter
how much work we put into security locally (SELinux, mod_security, code
auditing), we don't want to be using a project which belongs to the
latter camp.  *Sending security patches upstream doesn't help if
upstream will just introduce a new batch of security issues in their
next release.*

Some of the numbers might have to do with install-base size also.  I
realize you did qualify your statment, but I thought it should be
called out explicitly.  I know of dozens of mediawiki sites I use
nearly everyday, whereas moin, I know of one.  Also, why is mediawiki
ok for 108 and et.redhat.com but not for fedora?  I would think some
type of review/assesment was done for those sites.


The first sentence of my next paragraph is important here:
'''
PS: Purely on the basis of these numbers I'd be led to believe that replacing moin with mediawiki would be acceptable. [...]
'''

;-)

In my mind, I drew the line between drupal and the rest of the projects in that group. In plone+zope's worst year, it still had 7x less CVEs while mediawiki is pretty close to moin (1.4x). I didn't want to write it in the paragraph you quoted because making that judgement drags in install base (as you mention) which I don't have any numbers for.

-Toshio


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]