Hi Matt, I feel already sorry that I have to send this...
I was going through RCs that I could fix (as all my packages are mostly in order), and I believed this one is one that I could fix. I thought that I would just ask: "Have you ever considered patching so that PHPwiki uses ~E_DEPRECATED type of error reporting, so that it wont display so many ugly messages?" which would have been a work-around. But considering my findings, that wont be what I'll say. When I had a look in the package, I have found that it is embedding loads of libraries that are available in Debian, and even some that CANNOT be embedded in phpwiki, because of license restrictions. Namely (and maybe not even an exhaustive list): - php-fpdf (1.51, when even Lenny has 1.53.dfsg-6) - nusoap (old version 0.6.3 with embedded PHP 5.3 deprecation and security fixes (XSS attack) that I fixed recently in Squeeze and SID) - lib/captcha/Vera.ttf - fckeditor (old version from 2007) - php-cache (v1.2 when v1.5.5RC4 can be found in Lenny, using a php license 2.02 which use is forbidden outside PHP itself if a package is named phpSOMETHING) - ... More over, the package source embeds php-db (but it doesn't seem to be shipped in the binary packages). Even more bad: the debian/copyright file doesn't list any of the authors of the files in lib. At this point, I even wonder how this even got accepted by the ftp-masters. I really think that now, we have no other option than to remove PHPWiki from Debian, or to work really hard on it so that: 1/ The debian/copyright is written correctly with all authors listed and a full review of all files in lib/* is made 2/ Embedded libraries that are already packaged in Debian are used 3/ PHP deprecations are removed OR ~E_DEPRECATED is used 4/ Libraries that the package embeds are packaged separately 5/ A +dfsg version of the phpwiki package is created, removing what's embedded. I've done such work few times already, and I can tell that it takes really a long time to make it acceptable for Debian (see for example my extplorer package in Squeeze/SID, which took me month to make because of all this kind of issues). At this point, I wont have time to work on it either, and even if I do, that wont be enough time before Squeeze is out, with anyway, a big chance that the RT will refuse the package. I don't think I have to send more bug reports, because quite a lot have been sent against the package already (for embedding for example fpdf, nusoap). Instead, I think I had to warn the ftp-masters about all this, which is why they are Cc: to this mail. Maybe we'll have to even remove phpwiki from Lenny (this wont be my decision anyway). Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
