On Thu, Jun 4, 2009 at 10:29 AM, Jon Ciesla <l...@jcomserv.net> wrote:
> Paulo Cavalcanti wrote: > > > > On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <l...@jcomserv.net> wrote: > >> David Nalley wrote: >> >>> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <pro...@gmail.com> >>> wrote: >>> >>> >>>> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <da...@gnsa.us> wrote: >>>> >>>> >>>>> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <pro...@gmail.com> >>>>> wrote: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> I submitted ampache (http://ampache.org/) for review, but I was told >>>>>> that it >>>>>> could not use any external software >>>>>> bundled in the code. In fact, it uses getid3, a file that seems to >>>>>> come >>>>>> from >>>>>> horde (horde/Browser.php), >>>>>> and some others. >>>>>> >>>>>> According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) >>>>>> >>>>>> "Ampache has been featured in numerous online blogs and technical >>>>>> articles. >>>>>> One of the more notable was the O'Reilly book Spidering Hacks which >>>>>> tested >>>>>> the security of online applications. Ampache was found to be immune to >>>>>> standard spidering hacks as described in the O'Reilly article, and it >>>>>> has >>>>>> continued that trend by focusing on security during its development. >>>>>> The >>>>>> Code Philosophy listed on Ampache's wiki specifically lists security >>>>>> as >>>>>> one >>>>>> of those most important considerations during application >>>>>> development." >>>>>> >>>>>> Does it make any sense to fiddle something that has always had >>>>>> security >>>>>> as a >>>>>> prime concern? >>>>>> >>>>>> Any comment is welcome. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> -- >>>>>> Paulo Roma Cavalcanti >>>>>> LCG - UFRJ >>>>>> >>>>>> -- >>>>>> fedora-devel-list mailing list >>>>>> fedora-devel-list@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-devel-list >>>>>> >>>>>> >>>>>> >>>>> Perhaps I am the least well suited to respond as I did some of the >>>>> initial review. >>>>> >>>>> >>>> No, on the contrary. >>>> >>>> >>>> >>>>> However, there are at least 10 bundled libraries with ampache, >>>>> including pear-XML_RPC, nusoap, getid3, small snippets from Horde, >>>>> captchaphp, php-Snoopy, etc. >>>>> >>>>> In addition to the security benefits, creating the separate package >>>>> means other packages (even other web apps) can make use of the >>>>> libraries that would be available in Fedora instead of just ampache. >>>>> I can empathize with the extra work that this causes, as I am trying >>>>> to fix a few of these problems with another web app. >>>>> >>>>> >>>>> >>>> Maybe we can list all of the packages we would like to have for web >>>> applications, and try to set a "task force" to cope with them? >>>> >>>> I think if we had three or four people willing to help, the work would >>>> be >>>> concluded fast. There are always people looking forward to contributing, >>>> but without a good package to work with. >>>> >>>> >>>> >>> >>> >>> I think that's an outstanding idea, and I'd be willing to work towards >>> such an end, and perhaps since there is such a prevalence of php we >>> can get some buy-in from the php-sig as well. To illustrate some of >>> the usefulness - I have a web app I am working on now that uses >>> php-Snoopy as ampache also does, so that's at least two applications >>> that can make use of the package. >>> >>> >>> >> Count me in. I maintain several PHP apps, and having gone through the >> nightmare of switching from bundled to system libraries, I wholeheartedly >> agree that using system libraries from the beginning is the best way to go. >> Using the system lib means that security fixes are done in one place for >> all apps, and we don't have to patch the apps, or wait for upstream to push >> an update with an updated bundled lib. >> >> I'll help review, etc. >> >> > Thank you Jon. I will start with getid3. > > It would be nice if we had a list of packages missing available elsewhere, > so people, interested in helping, could choose what to pack. > > > -- > Paulo Roma Cavalcanti > LCG - UFRJ > > You mean like a subcategory of > http://fedoraproject.org/wiki/PackageMaintainers/WishList ? > Yes, a more specific entry, such as web applications? -- Paulo Roma Cavalcanti LCG - UFRJ
-- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
