Drupal getting a little paranoid ?!? (module remove related)

Is this a mod that Drupal designed themselves or a contributor?

Charlie

Hello TinTin_Pinguin,

I think you're overreacting and stating things that are not true. The explanation is right here.

The security team always first tries to work with the module maintainer to come up with a solution that will allow users to keep using a module. However, sometimes this is not possible (the maintainer doesn't respond, or doesn't understand our advice).

In these situations the solution we are forced to choose is to let site users know that the module is insecure and no longer supported and prevent future users from downloading the insecure module.The Update Status module (contributed module for Drupal 5, core for Drupal 6) will alert users that a module is unsupported if the project nodes are unpublished.

In this case, the answers module could be easily re-created using the cck module and perhaps a few other small modules.

Is this paranoid? Well, that's up to you. You are always welcome to continue using a module that has security holes in it, that's always your freedom.

Can you state what you think the security team should have done? Keep in mind that it is overworked and understaffed so any solution like "fix the module themselves" or "provide an upgrade to a new system" is simply not feasible.

--
_{Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book}