On Wed, Apr 21, 2010 at 8:46 AM, Matthew Toseland <t...@amphibian.dyndns.org> wrote: > I have to switch Mantis from packaged to directly installed: > - Mantis 1.2.0 contains critical bug fixes including remote admin and > cross-site scripting vulnerabilities capable of capturing plaintext passwords. > - Mantis 1.1 is officially unmaintained. > - Mantis does not appear to ask for CVE's, so the issues are not taken > seriously by Debian and therefore by Ubuntu. > - The package in Ubuntu is Mantis 1.1.8. > - Ubuntu and Debian have not patched these issues. There are no bugs filed > for them either. > > Plus, Mantis is written in php, which has had many vulnerabilities and is > likely to continue having many vulnerabilities, at least in nextgens' view. > However half of the web is written in php and presumably the distributions do > deal with such vulnerabilities promptly. > > Last time I checked there were many options for third party hosting of > mantis, including upgrading it for us, unfortunately none of them (certainly > none of the free ones) would allow us to import our existing bugs. > > A related point is that only a relatively small proportion of users actually > report bugs on the bug tracker. However, closing it off would increase the > barrier to entry for new developers. > > As I see it our options are: > - Keep Mantis, install it and upgrade it by hand. > - Keep Mantis and restrict its use to registered developers. > - Switch to something else. > > Most likely we will stick to the first option.
I think there is an important set of power users who like to look at bug trackers and might occasionally report a bug there, and might one day become devs (and are certainly useful to have around regardless!). So I think making the bug tracker inaccessible to them is very bad. Switching to something else is a pain, and we haven't managed to agree on what to switch to before. So I like the first option, for now. We can revisit as needed. Evan Daniel _______________________________________________ Devl mailing list Devl@freenetproject.org http://osprey.vm.bytemark.co.uk/cgi-bin/mailman/listinfo/devl
