[HacktionLab] Drupocalypse v3 Can it ever stop

naomi naomi at aktivix.org
Fri Apr 27 10:11:01 UTC 2018


I agree, Clara.

Drupal is extremely useful if you have a site of any complexity.

Any continually evolving, web-facing application with a huge user base
is going to be constantly targeted by hackers. The fact that Drupal has
a lot of security updates doesn't mean it is worse than other similar
applications - it means it is better, because it means it is being
looked after.

Babies and bathwater, woods and trees, tha knows

N


On 27/04/18 12:24, clara wrote:
> Hi,
>
> The reason why two security updates came after each other like that was
> in fact to protect those sites that would be patched straight away.
>
> The security team could have straight away made a patch that would have
> fixed everything - but that would also directly point to the vulnerability.
> When they released the first patch, the issue was something that could
> be exploited - but for which (as far as they knew) there weren't any
> exploits out.
> And when an exploit came out they straight away released the second patch.
> So that means sites where the maintainers are swamped with work got an
> extra 3 weeks that kept them safer.
>
> The problem is not Drupal - it's the fact that any dynamical generated
> site does need maintenance.
> Even with Wordpress' auto-update, there are still plenty of Wordpress
> sites that are now hacked to mine bitcoins.
>
> If somebody doesn't have time or money to ensure that their site is
> update then there are several options.
>
> 1) Ask yourself before you build the site what you actually need and
> what you can maintain or have somebody else maintain for you. If you
> can't have it maintained and don't need the functionality, then use a
> dynamically generated site (neither Drupal, nor Wordpress nor anything
> like that), use a static site generator.
>
> 2) Use a shared hosting like Mayfirst collective or Pantheon or so if
> you want it more commercial. They usually provide the core updates.
>
> 3) Pay for a service that does the updates. Dropguard costs about 9€ a
> month to do that, and there some are others as well. Don't expect others
> to save you and your site out of the goodness of their heart - at least
> not repeatedly or without having agreed on that.
>
> And the point that interest me most:
>
> 4) Build a network to share the skills and the work. I could have easily
> patched a few more sites while I was on it. And I would also be happy to
> know that there are trusted people around who have the needed access to
> a machine in case I'm travelling on Wednesday.
>
> In solidarity
> clara
>
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab




More information about the HacktionLab mailing list