| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | documentation |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
The security team is getting a number of public statements about the perceived quality of Drupal security. Part of this is due to closed nature of security work. Part of this is due to focus on creating security patches, and not enough effort on outbound security education. One complaint is that security is not displayed prominently both on Drupal.org and in the Drupal software.
I'd like to request that we include one of two links to Drupal 6.
http://drupal.org/node/213320 - My Site Was Defaced ("hacked"), What Should I do Now?
http://drupal.org/node/101494 - HOWTO: Report a security issue
One possibility would be here: admin/reports/updates
Note, I am only suggesting a text interface change, to help educate users about Drupal security and hold off a perception about Drupal's security. Let me know where you think the appropriate place to have a link to security resources is, and I'll try to get a patch in.
Comments
#1
I suggest we move this to the README.txt or to 7.x. I think it's too late for 6.x.
#2
Of course, the interface has already been translated to many languages.
README is the next logical place.
Thanks for pointing this out.
#3
admin/reports/updates is from the "update.module". confusingly, the "update system" refers to update.php and the DB update system. i've always been uneasy about this name collision ever since i was told to strip the "_status" part out of the module when it moved into core. oh well.
anyway, i'm not sure this is really the best place for such links. this page is already rather busy as it is, and i doubt most people will pay attention to those things buried in the help text.
and, as a string breaker on the eve of a release, this seems destined for being postponed, even if we wave the "security" trump card in the air a few times...
that said, #213320 seems like a bad title to put in the Drupal admin UI. ;) I'd be more comfortable linking to #101494 I think. Probably this will just get moved to 7.x-dev, but I'll leave it at 6.x-dev for now.
#5
Looks like we all agree this isn't going to happen in update.module. There's still hope of getting this into the README.txt if someone's so inspired...
#6
Note that there is no README.txt, but INSTALL.txt would work.
#7
First draft attempt at adding some "For more information" security references in the "MORE INFORMATION" section of INSTALL.txt.
#8
Er. Now with an extra comma.
#9
Great, thanks.
However, this seems not ideal:
- For a list of security announcements, see the "Security announcements" pageat http://drupal.org/security or subscribe to drupal.org's "Security
announcements" mailing list or RSS feed.
It doesn't say how to subscribe to those things, and the "Security announcements" mailing list isn't really a mailing list per-se.
How about something like this:
- For a list of security announcements, see the "Security announcements" pageat http://drupal.org/security (available as an RSS feed). This page also
describes how to subscribe to these announcements via e-mail.
?
#10
Sure. The attached patch reflects dww's suggestions in #9.
#11
Looks good to me. Thanks.
#12
Committed to 6.x. Needs to be committed to 7.x.
#13
I've committed this patch to CVS HEAD. Thanks!
#14
Automatically closed -- issue fixed for two weeks with no activity.