Michael Stahnke wrote:
Again, blaming the lanaguage doesn't make a ton of sense. If you're
worried about XSS, audit the code. If you're worried about buffer
attacks, run SELinux. The list goes on.
We could audit the code of everything that goes into infrastructure but
our manpower would spend quite a bit of time on that (every new service
and every update would have to be reviewed....) Can we do this? Could
we setup a SIG which was interested enough in security to do this?
(Such a sub-project would have a benefit to Fedora as a whole, not just
infrastructure... but it isn't a trivial task.)
If not we have to play the stock market on this one. 1) What's past
performance been like? 2) How's the current management doing at
identifying and removing security problems?
For #1, compare the number of CVEs_ in mediawiki to moin and drupal to
zope+plone:
2007 2006 2005
moin 5 0 0
mediawiki 7 5 12
drupal 36 37 8
zope(plone) 1(+0) 2(+3) 1(+0)
Now we all know that numbers can be misleading but still this seems to
highlight something for me: there are projects which care about security
and there are projects which tack it on as an after thought. No matter
how much work we put into security locally (SELinux, mod_security, code
auditing), we don't want to be using a project which belongs to the
latter camp. *Sending security patches upstream doesn't help if
upstream will just introduce a new batch of security issues in their
next release.*
PS: Purely on the basis of these numbers I'd be led to believe that
replacing moin with mediawiki would be acceptable. Knowing the mismatch
in priorities between us and upstream moin, this might be a benefit to
us (especially if we have some expert help tuning an SELinux policy and
setup mod_security for it). Drupal, though, just makes me feel like
we'd be trying to keep water in a sieve by putting it in a trash bag.
PPS: we're currently creating SELinux policies for our machines that
allow us to run in enforcing mode... Depending on the timeframe we're
looking at for deploying that, we might need to create an app server
that is specifically going to run SELinux from day one; implementing
these new services there while we transition the old services over.
.. CVEs: CVEs were simply searched for by project name in
http://nvd.nist.gov/nvd.cfm?advancedsearch and counted. No attempt was
made to find duplicates, or invalid CVEs for any of the projects.
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
