The security team is getting a number of public statements about the perceived quality of Drupal security. Part of this is due to closed nature of security work. Part of this is due to focus on creating security patches, and not enough effort on outbound security education. One complaint is that security is not displayed prominently both on Drupal.org and in the Drupal software.
I'd like to request that we include one of two links to Drupal 6.
http://drupal.org/node/213320 - My Site Was Defaced ("hacked"), What Should I do Now?
http://drupal.org/node/101494 - HOWTO: Report a security issue
One possibility would be here: admin/reports/updates
Note, I am only suggesting a text interface change, to help educate users about Drupal security and hold off a perception about Drupal's security. Let me know where you think the appropriate place to have a link to security resources is, and I'll try to get a patch in.
Comment | File | Size | Author |
---|---|---|---|
#10 | for_more_information_3.patch | 1.37 KB | keith.smith |
#8 | for_more_information_2.patch | 1.31 KB | keith.smith |
#7 | for_more_information.patch | 1.31 KB | keith.smith |
Comments
Comment #1
gregglesI suggest we move this to the README.txt or to 7.x. I think it's too late for 6.x.
Comment #2
Amazon CreditAttribution: Amazon commentedOf course, the interface has already been translated to many languages.
README is the next logical place.
Thanks for pointing this out.
Comment #3
dwwadmin/reports/updates is from the "update.module". confusingly, the "update system" refers to update.php and the DB update system. i've always been uneasy about this name collision ever since i was told to strip the "_status" part out of the module when it moved into core. oh well.
anyway, i'm not sure this is really the best place for such links. this page is already rather busy as it is, and i doubt most people will pay attention to those things buried in the help text.
and, as a string breaker on the eve of a release, this seems destined for being postponed, even if we wave the "security" trump card in the air a few times...
that said, #213320 seems like a bad title to put in the Drupal admin UI. ;) I'd be more comfortable linking to #101494 I think. Probably this will just get moved to 7.x-dev, but I'll leave it at 6.x-dev for now.
Comment #5
dwwLooks like we all agree this isn't going to happen in update.module. There's still hope of getting this into the README.txt if someone's so inspired...
Comment #6
keith.smith CreditAttribution: keith.smith commentedNote that there is no README.txt, but INSTALL.txt would work.
Comment #7
keith.smith CreditAttribution: keith.smith commentedFirst draft attempt at adding some "For more information" security references in the "MORE INFORMATION" section of INSTALL.txt.
Comment #8
keith.smith CreditAttribution: keith.smith commentedEr. Now with an extra comma.
Comment #9
dwwGreat, thanks.
However, this seems not ideal:
It doesn't say how to subscribe to those things, and the "Security announcements" mailing list isn't really a mailing list per-se.
How about something like this:
?
Comment #10
keith.smith CreditAttribution: keith.smith commentedSure. The attached patch reflects dww's suggestions in #9.
Comment #11
dwwLooks good to me. Thanks.
Comment #12
Gábor HojtsyCommitted to 6.x. Needs to be committed to 7.x.
Comment #13
Dries CreditAttribution: Dries commentedI've committed this patch to CVS HEAD. Thanks!