CMS with strict Code Review for Add-Ons?

Question

Some popular CMSs have a huge number of add-ons and try to fix every security problem as quickly as possible, without hiding. They end up with a lot of security announcements.

This seems to be the wrong way, because they distribute broken code and fix it after that. Not intentional, but that's the picture this is painting.

Are there any free CMS projects which have a strict system of code review for any given add-on? Contributing to such a project could become tiresome, but it would be worth it.

EDIT: I'm getting mixed messages on SO and other places. If you are going to ask for any good CMS, you always get the same few in the top mentioned ones. And they have one thing in common: Many modules. These CMSs define themselves by this humongous amount of add-ons, without which they weren't half as interesting.

These add-ons are "advertised" and offered on the main project's site. A repository full of code from disastrous to awesome.

Answer 1

Avoid using add-ons which don't live up to your quality standards. Most mature CMSs are quite robust without add-ons.

The purpose of add-ons is generally to let users add functionality without requiring the CMS publisher's input. It's the add-on developers' responsibility have robust code. I would be surprised if a free CMS project allowed add-ons, but required a strict code review for them. If the system is free and open, add-on publishers can simply release the add-ons themselves.

If you have certain requirements for robustness and security and you can't find a solution, you can always develop it yourself. That way you can ensure that the add-on code follows your standards.

Answer 2

This is a very tough arena, especially in the "Free" markets.

I spend a lot of time with DotNetNuke, which is an open source, CMS type framework. There are frequent releases, some of which identify security issues. Core module projects (add-ons) go through a security review with all public releases, which helps a lot.

The third-party market though is a bit scary when it comes to security.

Answer 3

No. Add ons for each CMS are separate from the main project. Some projects have "core" modules that are reviewed and audited with the main code line as they are considered part of the CMS, rather than an add-on, even though they are implemented as add-ons.

If you use only the core and project approved add-ons then you'll be as safe as one can be depending on the reviews they give.

There are no free projects that currently have an auditing, signing, or certification process for third party add-ons. The resources in a free project are often simply not available.

Lasty, please keep in mind that even a 'strict code review' will not eliminate all bugs and security risks. Such a review prevents some bugs and risks from getting through, and raises the bar, but there is no silver bullet. Such a project as you describe will certainly release security fixes from time to time.