Hi Thomas I wasn't aware of any out of date licensing info since I last trawled the codebase and updated the copyright file - in anycase this metadata is easy enough to bring to correctness now it is noticed.
The history of this package is that it has always had caretaker maintainers and while we've done our best to keep it inline with evolving policy requirements and best practices over the years the upstream codebase certainly does not make that an easy task. As you have yourself discovered. The upstream developers have promised me a new release in the next week or two to address the PHP5.3 issues so my plan was to wait for that before initiating any further action on my part. Chances are the release team is unlikely to accept a brand new version into testing at this stage so it is entirely likely that phpwiki will not be in our next release. However i'd like to have the new phpwiki release in hand before coming to a final conclusion here. With regards to the other open bugs and the package in stable. We have users depending on it so I'm not really convinced that removal is in their best interests. If there are serious security issues as you hint at then please file the appropriate bugs so we can address them through the normal processes. The embedding of software in phpwiki is certainly sub optimal. But hard to rectify without major changes from upstream. The package was accepted many years ago before we really cracked down and tightened up on such behaviour in PHP apps. I think this helps explain how the package "got past" the ftpmasters. The bugs to separate out the dependencies and all RFH tagged and I would gladly welcome patches - as would the upstream developers who are aware of the issue but have limited time for such work. In summary - yes there is clearly much to be improved in the package and the PHP issues will likely keep it out of the new release but I'm not connecting convinced that a full scale package removal from the archive is justified as you conclude. The issues are being worked on, but as usual more hands are needed to make it happen at the speed we desire. Cheers. On 19 Sep 2010 14:16, "Thomas Goirand" <z...@debian.org> wrote: > Hi Matt, > > I feel already sorry that I have to send this... > > I was going through RCs that I could fix (as all my packages are mostly > in order), and I believed this one is one that I could fix. I thought > that I would just ask: "Have you ever considered patching so that > PHPwiki uses ~E_DEPRECATED type of error reporting, so that it wont > display so many ugly messages?" which would have been a work-around. But > considering my findings, that wont be what I'll say. > > When I had a look in the package, I have found that it is embedding > loads of libraries that are available in Debian, and even some that > CANNOT be embedded in phpwiki, because of license restrictions. > > Namely (and maybe not even an exhaustive list): > > - php-fpdf (1.51, when even Lenny has 1.53.dfsg-6) > - nusoap (old version 0.6.3 with embedded PHP 5.3 deprecation and > security fixes (XSS attack) that I fixed recently in Squeeze and SID) > - lib/captcha/Vera.ttf > - fckeditor (old version from 2007) > - php-cache (v1.2 when v1.5.5RC4 can be found in Lenny, using a php > license 2.02 which use is forbidden outside PHP itself if a package is > named phpSOMETHING) > - ... > > More over, the package source embeds php-db (but it doesn't seem to be > shipped in the binary packages). > > Even more bad: the debian/copyright file doesn't list any of the authors > of the files in lib. At this point, I even wonder how this even got > accepted by the ftp-masters. > > I really think that now, we have no other option than to remove PHPWiki > from Debian, or to work really hard on it so that: > > 1/ The debian/copyright is written correctly with all authors listed and > a full review of all files in lib/* is made > 2/ Embedded libraries that are already packaged in Debian are used > 3/ PHP deprecations are removed OR ~E_DEPRECATED is used > 4/ Libraries that the package embeds are packaged separately > 5/ A +dfsg version of the phpwiki package is created, removing what's > embedded. > > I've done such work few times already, and I can tell that it takes > really a long time to make it acceptable for Debian (see for example my > extplorer package in Squeeze/SID, which took me month to make because of > all this kind of issues). At this point, I wont have time to work on it > either, and even if I do, that wont be enough time before Squeeze is > out, with anyway, a big chance that the RT will refuse the package. > > I don't think I have to send more bug reports, because quite a lot have > been sent against the package already (for embedding for example fpdf, > nusoap). Instead, I think I had to warn the ftp-masters about all this, > which is why they are Cc: to this mail. Maybe we'll have to even remove > phpwiki from Lenny (this wont be my decision anyway). > > Cheers, > > Thomas Goirand (zigo) > >
