CMS Decision - answers on Drupal

[Greg Knaddison]

On 12/14/05, seth vidal <skvidal at phy.duke.edu> wrote:
> > However, one of the main arguments against Drupal was security
> > problems, supposedly inherent to PHP based software. My claim is that
> > when OSS is used in high profile scenarios it gets tested thoroughly
> > against attempted attacks.
>
> To be honest the above is a not-so-terribly-well-founded assumption.
> Just b/c code is open doesn't mean it gets audited. It means it CAN get
> audited - but not that it does. I think you'll have a hard time backing
> up that claim with evidence.

Fair enough.

I don't really want to get into the discussion about
security/PHP/whatever.  There were some questions in the thread about
Drupal and I wanted to make sure that you were making a sufficiently
informed decision about the tool.

>
> Moreover one of the other arguments against php was that as all of the
> rest of the tools that do just about ANYTHING in fedora are written in
> python that it would be easier to integrate and borrow routines if we
> were using the same language.
>
> We (fedora) should be encouraging a single dynamically typed and a
> single statically typed language. It helps keep us on message and it
> means the tools are less painful to install as they require fewer
> diverse dependencies.
>

Is this where the several different mentions of replacing bugzilla
were rooted?  That was mentioned a couple times in the thread and I
didn't quite get it since RedHat seems to have a pretty big investment
in Bugzilla.

Is there a Python bug tracker in existence or planned?

> so there's much more to it than just security.
>

Yes, and I think I got that.  But there was also a dismissal of PHP
based systems right off the bat just because they are PHP base.  And I
think that's unfair, especially when they were being compared to a
planned major modification to Python-webapps.  It's easy and almost
always fallacious to say "well, the new system won't have any bugs in
it because we're going to make it awesome" and it appears to me that's
what you're doing.  I respect the talents and minds of the various
people in f-w-l, but I also doubt anyone's ability to make bug-proof
code.

> But to be honest, I'm tired of all this shit. I'm too busy to help with
> it and I'm tired of hearing about it.
>
> The new box for fedoraproject.org should be racked and in place tomorrow
> or Friday. Once that's done I'll setup the user account system Elliot
> worked on, configure the backups and leave it the hell alone.
>
> I'll just go on the record as saying I think drupal and php are poor
> choices for this system and will cause problems for us in the long run.
> Y'all can figure out how to solve the problems. I'll just make sure the
> box keeps running and that our backups are good for WHEN the site gets
> defaced.
>

Right...ok, so any more questions on it (since I got some off-list),
feel free to ping me and I'll do my best to answer or at least point
you in someone else's direction.

Regards,
Greg