[QuiDortDine]

I used to work with Drupal, it was a security nightmare, like almost all community-based extension system (see also npm). Modules made Drupal popular, they also made it close to impossible to have any sense of security, as only very popular modules would be audited, and you basically needed a panoply of smaller ones depending on your use case.

I wonder if that's changed over time, for instance I could see GPT3.5 doing a good job of summarily inspecting modules systematically.

[ridruejo]

This is also the case with similar popular platforms like WordPress, there is always tension between expanding what you can do to include nearly everything people can think of, and at the same time keeping some basic checks/safeguards. There is also the issue that the most popular platforms and plugins will receive the most attention from attackers. Technologies like Wasm at least provide hope to alleviate some of those concerns by "sandboxing" the modules (ie if a module is a spellchecker it should not be allowed to connect to the network, etc.)

[1shooner]

I'm not familiar with how it used to be, but Drupal does have a security advisory process[1] for contributed modules. I don't know, but I'd imagine having moved the contrib ecosystem to Gitlab, and composer-based dependency management, has made some dimensions of security auditing easier to do at scale. I'd say it's still true that you can't easily stay 100% within that security advisory umbrella.

1. https://www.drupal.org/drupal-security-team/security-advisor...

[the-dude]

Is there already a law in place, or are we supposed to use Godwin's?