The security team is getting a number of public statements about the perceived quality of Drupal security. Part of this is due to closed nature of security work. Part of this is due to focus on creating security patches, and not enough effort on outbound security education. One complaint is that security is not displayed prominently both on Drupal.org and in the Drupal software.

I'd like to request that we include one of two links to Drupal 6.

http://drupal.org/node/213320 - My Site Was Defaced ("hacked"), What Should I do Now?
http://drupal.org/node/101494 - HOWTO: Report a security issue

One possibility would be here: admin/reports/updates

Note, I am only suggesting a text interface change, to help educate users about Drupal security and hold off a perception about Drupal's security. Let me know where you think the appropriate place to have a link to security resources is, and I'll try to get a patch in.

CommentFileSizeAuthor
#10 for_more_information_3.patch1.37 KBkeith.smith
#8 for_more_information_2.patch1.31 KBkeith.smith
#7 for_more_information.patch1.31 KBkeith.smith
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented

I suggest we move this to the README.txt or to 7.x. I think it's too late for 6.x.

Amazon’s picture

Amazon CreditAttribution: Amazon commented

Of course, the interface has already been translated to many languages.

README is the next logical place.

Thanks for pointing this out.

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Title: Update system could link to security documentation resources » Update status could link to security documentation resources
Version: 6.0-rc3 » 6.x-dev
Component: update system » update.module

admin/reports/updates is from the "update.module". confusingly, the "update system" refers to update.php and the DB update system. i've always been uneasy about this name collision ever since i was told to strip the "_status" part out of the module when it moved into core. oh well.

anyway, i'm not sure this is really the best place for such links. this page is already rather busy as it is, and i doubt most people will pay attention to those things buried in the help text.

and, as a string breaker on the eve of a release, this seems destined for being postponed, even if we wave the "security" trump card in the air a few times...

that said, #213320 seems like a bad title to put in the Drupal admin UI. ;) I'd be more comfortable linking to #101494 I think. Probably this will just get moved to 7.x-dev, but I'll leave it at 6.x-dev for now.

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Title: Update system could link to security documentation resources » README.txt could link to security documentation resources
Version: 6.0-rc3 » 6.x-dev
Component: update system » documentation

Looks like we all agree this isn't going to happen in update.module. There's still hope of getting this into the README.txt if someone's so inspired...

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
Title: README.txt could link to security documentation resources » INSTALL.txt could link to security documentation resources

Note that there is no README.txt, but INSTALL.txt would work.

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
Status: Active » Needs review
FileSize
for_more_information.patch1.31 KB

First draft attempt at adding some "For more information" security references in the "MORE INFORMATION" section of INSTALL.txt.

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
FileSize
for_more_information_2.patch1.31 KB

Er. Now with an extra comma.

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Status: Needs review » Needs work

Great, thanks.

However, this seems not ideal:

- For a list of security announcements, see the "Security announcements" page
  at http://drupal.org/security or subscribe to drupal.org's "Security
  announcements" mailing list or RSS feed.

It doesn't say how to subscribe to those things, and the "Security announcements" mailing list isn't really a mailing list per-se.

How about something like this:

- For a list of security announcements, see the "Security announcements" page
  at http://drupal.org/security (available as an RSS feed). This page also
  describes how to subscribe to these announcements via e-mail.

?

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
Status: Needs work » Needs review
FileSize
for_more_information_3.patch1.37 KB

Sure. The attached patch reflects dww's suggestions in #9.

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Status: Needs review » Reviewed & tested by the community

Looks good to me. Thanks.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Version: 6.x-dev » 7.x-dev

Committed to 6.x. Needs to be committed to 7.x.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

I've committed this patch to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.