![Popular open source software is more secure than unpopular open source software, because insecure software becomes unpopular fast. [That doesn't happen for proprietary software.]](../sites/all/themes/drupal4hu/images/bg-center/bg-center_4.png)
Again I need to use my blog to answer some really bright guy who thought that the world would be poorer if his wisdom would not pollute the Drupal Planet. He is wrong: Drupal is not WordPress. We do not make compromises in security design. Any ways of updating/installing a module on the webserver which does not ask you a password does make such a compromise. Now, Drupal has an auto update but it stays secure. Joshua Rogers took on implementing that under the name of Plugin Manager as a Summer of Code project. He stayed with us and develops it. There was a call for core inclusion. A port has been made by swentel. What more do you want? I know what I want: Plugin Manager in core. Care to help?
Commenting on this Story is closed.
And setup a plan and see what steps to take for including this in core, I'm still very much available for help, but I think it might be nice to have a bit of guidance.
Instead of asking the user to choose we should automatically detect the ways available and use. Preferred order is SSH, FTP. Also we should add an FTP backend option based on raw sockets. So PM checks for ssh2, ftp wrapper, ftp extension and finally checks whether fsockopen is available.
Enable it only if it will work. So create a check much like clean URL just this time we want to peek at port 21 / 22 and if we get no reply then disable it and provide documentation in the handbook how to fix this.