Heine

We released Drupal 6.14 because of a number of vulnerabilities in the OpenID core module. One of those vulnerabilities was caused by not obeying the OpenID 2.0 Authentication specification.

A number of other spec violations was discovered while working on the security issue. This might not be that be surprising, after all, our OpenID implementation was written against a draft, not the final 2.0 specification.

In addition, the issue queue on the OpenID core module hints that the OpenID module is going the way of BlogAPI (another Drupal dodo).

Rather than trying to fix each violation, I decided to correct the immediate issue and then start a belated OpenID 2.0 Compliance Crusade in public, to get our OpenID implementation fully compliant.

Wanna join in? Great! The rest of this post is meant to provide a slightly easier introdcution into the first part of OpenID than the official specs. To prevent disappointment: It's basically a partial retelling of the spec. With this introduction, you should be able to investigate spec violations, and file and review patches for OpenID.

The bugfixing procedure for Drupal 6 is, to say the least, "suboptimal".

Witness Issue #261258, that's been with us since Drupal 6.0. Thirteen releases later and the bug is still present.

Why, you ask? Because bugs should be fixed in HEAD (future release of Drupal) first, before being backported to 6.x-dev.

Varnish is running on the same box (lame duck edition) as Apache, and specifically configured to cache pages for anonymous users, not just JS, CSS and images. The pressflow reverse proxy patches were used to prevent sessions for anonymous users. All on Drupal 6.13.

The ab command used to build the graph includes a fake has_js cookie:

The no cache requests/seconds number decreases from about 7.2 request/s to 4.2 requests/s. A large number of requests fail if the concurrency is increased above 100 for non-varnish setups.

Dear themers,

.... in page.tpl.php breaks Home functionality on many multilingual sites.