I have to switch Mantis from packaged to directly installed: - Mantis 1.2.0 contains critical bug fixes including remote admin and cross-site scripting vulnerabilities capable of capturing plaintext passwords. - Mantis 1.1 is officially unmaintained. - Mantis does not appear to ask for CVE's, so the issues are not taken seriously by Debian and therefore by Ubuntu. - The package in Ubuntu is Mantis 1.1.8. - Ubuntu and Debian have not patched these issues. There are no bugs filed for them either.
Plus, Mantis is written in php, which has had many vulnerabilities and is likely to continue having many vulnerabilities, at least in nextgens' view. However half of the web is written in php and presumably the distributions do deal with such vulnerabilities promptly. Last time I checked there were many options for third party hosting of mantis, including upgrading it for us, unfortunately none of them (certainly none of the free ones) would allow us to import our existing bugs. A related point is that only a relatively small proportion of users actually report bugs on the bug tracker. However, closing it off would increase the barrier to entry for new developers. As I see it our options are: - Keep Mantis, install it and upgrade it by hand. - Keep Mantis and restrict its use to registered developers. - Switch to something else. Most likely we will stick to the first option. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20100421/6835f1fe/attachment.pgp>
