Hi, I recently took over as the maintainer of the moin package in Fedora and EPEL. It's my first EPEL package. I've been able to handle the Fedora side quite well but, to be honest, I'm in a bit of trouble with the EPEL packages. The thing is, the package has been practically unmaintained for a year now and I'm quite certain there are security issues with it (I'd rather not disclose the possible vulnerabilities on a public mailing list).
The moin version in EPEL is 1.5.9 and upstream has abandoned the 1.5 series completely. From what I've read on mailing lists, IRC and the Moin documentation, the migration from 1.5 to 1.6 or later can be quite painful. IIRC the Fedora infrastructure team were testing it before switching to Mediawiki and they had all kinds of problems with it as well. This is why I'd rather not submit an update to 1.8, which is the current stable branch, in EL-4 or EL-5. Out of the major distributions, Debian Etch aka oldstable has 1.5.3, all others either don't have Moin at all or have some newer version. Debian will apparently drop support for Etch on February 2010, at which point EL-5 has about four (?) years of support left and we'll be on our own with Moin 1.5. The most important thing the Moin packages need right now would be for someone to go through the CVE reports against Moin, the project's own security page, Debian's security patches and Fedora's security patches, see which ones need to be applied and build updated packages. I can start working on this soon, but my free time is somewhat limited right now. With these points in mind: - Are there any people on the list who'd like to become co-maintainers or even primary maintainers for Moin in the EPEL branches? - Should we just update Moin to a version with upstream support even though it might cause major pain to anyone running the current packages? - Related to these questions, once even Debian drops 1.5, is there going to be enough people in the EPEL project to take care of the possible security issues? - If not, should we just orphan Moin in EPEL? -- Ville-Pekka Vainio _______________________________________________ epel-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/epel-devel-list
