[TYPO3] a thought about security announcements and automatic security alert
bernd wilke
xoonsji02 at sneakemail.com
Wed May 28 22:15:56 CEST 2008
on Tue, 27 May 2008 11:27:45 +0200, Francois Suter wrote:
> Hi,
>
>> I've just thought that it is really some work to check all "yours"
>> TYPO3 installations to find out which one has security bug announced in
>> Security Bulletin.
>
> Actually I had started thinking about something. Over time I have
> accumulated quite a lot of TYPO3 sites and I have trouble knowing which
> are running which version and using which extensions (at which version).
>
> My idea was to develop an extension that can monitor other TYPO3
> installs. It would actually be a series of extensions:
>
> - a BE module for the "master" install from which you survey the others
> - a client module for each TYPO3 install to survey
>
> Those 2 extensions would provide base services (i.e. retrieve info about
> TYPO3 version, extensions installed, etc.), but other extensions could
> add other views, for whatever each developer can think of. One service
> would be to add security bulletin info and automatically get a list of
> relevant TYPO3 installs.
sounds great.
just a few thoughts, you may have had:
server:
requests to remote server must include a password, including encryption.
Else everyone could request version and look for possible security-holes.
besides the version-number of an extension it would be good to know
whether an extension is in original-state (not every extension is
installed unmodified). The EM can provide this information, as in the
extension-file-view (md5-hashes).
client:
if only the client requests the security-announcements, it is less
traffic than having requests on every installation.
different views for:
- list of all extension in all installations
- list of all extensions covered by a security-announcment
- list of all installations using a specitic extension
> This is quite a lot of work and I haven't progressed much yet, so I
> quite feel like sharing the development of this if there are some people
> interested in here. The project(s) would be hosted on forge.typo3.org
> obviously, which is very convenient for sharing both ideas and work.
>
> What do you think? Anyone interested?
let's look for some spare time ;-)
bernd
--
http://www.pi-phi.de/t3v4/cheatsheet.html
More information about the TYPO3-english
mailing list