I may have been cracked. yippee!

[me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org (Matthew Gillen)]

Kristian Hermansen wrote:
> On 6/20/07, Matthew Gillen <me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org> wrote:
>> That's why I use Drupal (drupal.org).  It was the first cms I came
>> across that
>> actually had a "security announcement" mailing list, which I consider
>> a bare
>> minimum for software like that (ie public-facing, written in php).
>> Anecdotally, most of the security bulletins are not for the core
>> system, but
>> contributed modules.
> 
> RIght...
> http://milw0rm.com/search.php?dong=drupal

I said *most*, not *all*.  And the vast majority of the security advisories
are in fact for third-party modules:
http://drupal.org/security

>> You can make things easier on yourself if you're comfortable using a cvs
>> checkout for your site, since many of the security announcements say
>> you can
>> just 'cvs update' to fix the problem (they pretty much always also
>> offer a patch).
> 
> Or you could use Plone if you are concerned about security.  I haven't
> seen any public exploits for it yet, but obviously all applications
> will eventually have a security flaw introduced at some point...

Lack of public knowledge about security flaws doesn't mean there aren't any.
Personally, I'd rather know that there was an active security team that
quickly resolves issues as soon as they are identified (and provides an easy
way for me to get notified about such things) than to know that there aren't
any publicly known exploits.

Matt

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.