On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <l...@jcomserv.net
<mailto:l...@jcomserv.net>> wrote:
David Nalley wrote:
On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti
<pro...@gmail.com <mailto:pro...@gmail.com>> wrote:
On Thu, Jun 4, 2009 at 8:00 AM, David Nalley
<da...@gnsa.us <mailto:da...@gnsa.us>> wrote:
On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti
<pro...@gmail.com <mailto:pro...@gmail.com>> wrote:
Hi,
I submitted ampache (http://ampache.org/) for
review, but I was told
that it
could not use any external software
bundled in the code. In fact, it uses getid3, a
file that seems to come
from
horde (horde/Browser.php),
and some others.
According to the weekpedia
(http://en.wikipedia.org/wiki/Ampache)
"Ampache has been featured in numerous online
blogs and technical
articles.
One of the more notable was the O'Reilly book
Spidering Hacks which
tested
the security of online applications. Ampache was
found to be immune to
standard spidering hacks as described in the
O'Reilly article, and it
has
continued that trend by focusing on security
during its development. The
Code Philosophy listed on Ampache's wiki
specifically lists security as
one
of those most important considerations during
application development."
Does it make any sense to fiddle something that
has always had security
as a
prime concern?
Any comment is welcome.
Thanks.
--
Paulo Roma Cavalcanti
LCG - UFRJ
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
<mailto:fedora-devel-list@redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-devel-list
Perhaps I am the least well suited to respond as I did
some of the
initial review.
No, on the contrary.
However, there are at least 10 bundled libraries with
ampache,
including pear-XML_RPC, nusoap, getid3, small snippets
from Horde,
captchaphp, php-Snoopy, etc.
In addition to the security benefits, creating the
separate package
means other packages (even other web apps) can make
use of the
libraries that would be available in Fedora instead of
just ampache.
I can empathize with the extra work that this causes,
as I am trying
to fix a few of these problems with another web app.
Maybe we can list all of the packages we would like to
have for web
applications, and try to set a "task force" to cope with them?
I think if we had three or four people willing to help,
the work would be
concluded fast. There are always people looking forward to
contributing,
but without a good package to work with.
I think that's an outstanding idea, and I'd be willing to work
towards
such an end, and perhaps since there is such a prevalence of
php we
can get some buy-in from the php-sig as well. To illustrate
some of
the usefulness - I have a web app I am working on now that uses
php-Snoopy as ampache also does, so that's at least two
applications
that can make use of the package.
Count me in. I maintain several PHP apps, and having gone through
the nightmare of switching from bundled to system libraries, I
wholeheartedly agree that using system libraries from the
beginning is the best way to go. Using the system lib means that
security fixes are done in one place for all apps, and we don't
have to patch the apps, or wait for upstream to push an update
with an updated bundled lib.
I'll help review, etc.
Thank you Jon. I will start with getid3.
It would be nice if we had a list of packages missing available elsewhere,
so people, interested in helping, could choose what to pack.
--
Paulo Roma Cavalcanti
LCG - UFRJ
