Open source software security

Drupal Angst

2 May 2011
From reading my blog and website you might get the impression that if asked to recommend a CMS I would answer: Drupal. The reality is that I was an unfortunate evangelist of Drupal early on when my work did a CMS evaluation. We looked at the available systems that matched our infrastructure and our requirements and chose Drupal. I ended up learning Drupal in order to implement it in a large, enterprise environment. I sold the system to my co-workers and my superiors and was then invested in supporting it. Sadly, I couldn't have chosen a less fulfilling technology community to join. I'm a big fan of open source, but Drupal has drained my enthusiasm. I find quite a few problems with the Drupal technology itself. The Drupal product is complex and unforgiving, requiring a long time to learn and master. Unfortunately it also has a fairly rapid development cycle, meaning that every three years or so the product changes pretty radically and you have to re-dedicate yourself to learning all the new nuances of the latest version. The community is another major source of my angst. I find that a lot of Drupal developers are great people, but the folks at the top can be very insular. As a security researcher I've approached the community many, many, times only to be rebuffed. Even though I've discovered over 150 security vulnerabilities in Drupal and have asked repeatedly if I could join the Drupal security team I've never been welcomed. I'm devoting my time and effort to make a product better when that community doesn't want me, while the improvements I help make in Drupal enrich others. For some reason Drupal is increasingly getting hype, or perhaps I'm just sensitive to the press Drupal gets because I'm involved in the community. Reading a recent Slashdot story on Drupal I found myself commiserating with the gripes of the many posters and reading the various evangelical postings about Drupal as somewhat slavish and over zealous. It seemed typical of the community at large - the supporters will openly evangelize and are completely unapologetic about the cliquish nature of the community and tremendous difficulty in using the product. In the end I think my biggest problem with Drupal comes down to the fact that it's written in functional PHP. This is a development paradigm that hearkens back to PHP 4, making it nearly a decade old. The code base is huge and unruly and just isn't based on good technology. I think there are a lot of really smart people working with Drupal but in the end it's a dinosaur under the hood. Even Drupal 7 hasn't done much to change my opinion. Drupal also suffers from the complete lack of good documentation, which makes learning the system an exercise in extreme exertion that often results in reading the actual PHP code of the core. Drupal certainly works but I feel like it's a pretty inelegant system. In retrospect I'm sorry I didn't look more closely at Plone or a Java based system, but at the time our development support was limited to PHP. We've already deployed dozens of sites on Drupal and the multisite support has been a blessing, but as my investment ages I'm beginning to regret tying my horse to the Drupal wagon.