Posted by manjit.singh on August 7, 2015 at 1:24pm
Some steps of current review process:
- Users are creating sandbox for their new projects and get reviews from other community members.
- Other reviewers give him instructions and some guidelines related to code/Security etc.
- After too many reviews and changes in his code, Project finally gets approved, which upgrades his permission to create a full project.
So my question here is
Why we are giving access to users to create full project without any code review?
I mean, Any user who has access to create a full project can add malicious/vulnerable module/theme. As the review process was not followed after that. In Addition, that malicious script can put a site's at great risk.
How will we handle that module/theme ? Is there any automate script who is handling all these security checks.
Comments
There is already discussion
There is already discussion on this here: https://www.drupal.org/node/2453587. I think your concerns are already addressed there.
"It was intended as a means
"It was intended as a means to help on-board new contributors into the Drupal community, and provide a level of mentoring and guidance before setting them loose in contrib" https://groups.drupal.org/node/288818
_
I have never seen someone abusing the permission to create full projects and create malicious code intentionally. While it is certainly possible to do so after getting the vetted status, there are many people looking at your code.
The process is meant to
The process is meant to educate around git repository policies (licensing, no 3rd party code) and Drupal standards (use of APIs, security, documentation, code style). There are cases of people who do things that are against those policies and standards, though I think you're right that it's more an act of ignorance of the rules than malicious defiance.
knaddison blog | Morris Animal Foundation