Bug#471160: removed smarty
Jan Wagner wrote: > Hi Michael, > > On Saturday 19 April 2008 17:39, Michael Schultheiss wrote: > > Jan Wagner wrote: > > > tags 471160 + patch > > > > > > hi there, > > > > > > what about the attached patch. shouldn't do it the trick? on my test > > > installation it works all well > > > > Thank you for your patch. I've tested it and found that the embedded > > smarty and adodb are still utilized, at least on upgrades. I added a > > preinst file that handles the symlinking for upgrades and my Gallery > > started throwing HTTP 500 errors (Internal Error). I'll do some further > > testing to see if I can determine what the problem is. > > what about adodb? I just double checked the files, the are just copied over > without modifications. Policy violation for embedded code copies are bad and > I think you don't want to be assassinated by Security Team. :) I'm still working on adodb - the initial patch is non-functional and I'm working to see what Gallery needs from adodb so it can use the system adodb. -- Michael Schultheiss E-mail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#471160: removed smarty
Hi Michael, On Saturday 19 April 2008 17:39, Michael Schultheiss wrote: > Jan Wagner wrote: > > tags 471160 + patch > > > > hi there, > > > > what about the attached patch. shouldn't do it the trick? on my test > > installation it works all well > > Thank you for your patch. I've tested it and found that the embedded > smarty and adodb are still utilized, at least on upgrades. I added a > preinst file that handles the symlinking for upgrades and my Gallery > started throwing HTTP 500 errors (Internal Error). I'll do some further > testing to see if I can determine what the problem is. what about adodb? I just double checked the files, the are just copied over without modifications. Policy violation for embedded code copies are bad and I think you don't want to be assassinated by Security Team. :) With kind regards, Jan. -- Never write mail to <[EMAIL PROTECTED]>, you have been warned! -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT d-- s+: a- C+++ UL P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ --END GEEK CODE BLOCK-- pgpNAPPUTOzvQ.pgp Description: PGP signature
Bug#471160: removed smarty
Hi, > Upstream Gallery is working on a new version that includes a fix for the > smarty issue. I agree that using the Debian packaged version is better > than embedding, but not at the expense of usability. Of course if there's a short term fix with just an updated Smarty, that's better than no fix at all. However, putting embedding against usability is a false dilemma. The user doesn't see the difference where in the filesystem some piece of code is present. The only reason I can see is that upstream made modifications to stock Smarty. If they have local modifications, it would be interesting to see exactly what they are and if they cannot be implemented in a stock copy. Be advised that the security team in principle does not consider packages including a verbatim copy of some library acceptable for stable. See for example the recent kazehakase update to see how many security issues in one package can arise from using an outdated embedded library copy. Please ask upstream to make it easy to switch between the embedded copy and a system copy, e.g. in a constant somewhere (e.g. SMARTY_PATH). cheers, Thijs pgpSIJaVFuTLd.pgp Description: PGP signature
Bug#471160: removed smarty
Jan Wagner wrote: > tags 471160 + patch > > hi there, > > what about the attached patch. shouldn't do it the trick? on my test > installation it works all well Thank you for your patch. I've tested it and found that the embedded smarty and adodb are still utilized, at least on upgrades. I added a preinst file that handles the symlinking for upgrades and my Gallery started throwing HTTP 500 errors (Internal Error). I'll do some further testing to see if I can determine what the problem is. Upstream Gallery is working on a new version that includes a fix for the smarty issue. I agree that using the Debian packaged version is better than embedding, but not at the expense of usability. -- Michael Schultheiss E-mail: [EMAIL PROTECTED] signature.asc Description: Digital signature
Bug#471160: removed smarty
tags 471160 + patch hi there, what about the attached patch. shouldn't do it the trick? on my test installation it works all well with kind regards, jan. diff -Nru gallery2-2.2.4/debian/changelog gallery2-2.2.4/debian/changelog --- gallery2-2.2.4/debian/changelog 2008-04-06 02:29:15.0 +0200 +++ gallery2-2.2.4/debian/changelog 2008-04-06 02:29:47.0 +0200 @@ -1,3 +1,11 @@ +gallery2 (2.2.4-2.1) unstable; urgency=low + + * Non-maintainer upload. + * removing adodb and smarty from package (Closes: #471160) + * depending libphp-adodb and smarty and make use of them via symlink + + -- Jan Wagner <[EMAIL PROTECTED]> Sun, 06 Apr 2008 02:05:32 +0200 + gallery2 (2.2.4-2) unstable; urgency=high * Urgency high due to release critical bug diff -Nru /tmp/FAwFfSgYAZ/gallery2-2.2.4/debian/control /tmp/3kZ6Kihe9t/gallery2-2.2.4/debian/control --- gallery2-2.2.4/debian/control 2008-04-06 02:29:15.0 +0200 +++ gallery2-2.2.4/debian/control 2008-04-06 02:29:47.0 +0200 @@ -8,7 +8,7 @@ Package: gallery2 Architecture: all -Depends: apache2 | apache-ssl | apache-perl | apache | httpd, php5 | php5-cgi | libapache-mod-php5 | libapache2-mod-php5 | php4 | php4-cgi | libapache-mod-php4 | libapache2-mod-php4, netpbm (>= 9.20) | imagemagick, debconf (>= 0.2.26) | debconf-2.0, mysql-client | postgresql-client, wwwconfig-common, php5-mysql | php4-mysql | php5-pgsql | php4-pgsql +Depends: apache2 | apache-ssl | apache-perl | apache | httpd, php5 | php5-cgi | libapache-mod-php5 | libapache2-mod-php5 | php4 | php4-cgi | libapache-mod-php4 | libapache2-mod-php4, netpbm (>= 9.20) | imagemagick, debconf (>= 0.2.26) | debconf-2.0, mysql-client | postgresql-client, wwwconfig-common, php5-mysql | php4-mysql | php5-pgsql | php4-pgsql, libphp-adodb, smarty Recommends: jhead, unzip, libjpeg-progs, php5-gd | php4-gd, dcraw, ffmpeg, mysql-server-4.1 | mysql-server | postgresql, zip Description: web-based photo album written in PHP Gallery2 is a web-based photo album with multiple user support. It diff -Nru /tmp/FAwFfSgYAZ/gallery2-2.2.4/debian/rules /tmp/3kZ6Kihe9t/gallery2-2.2.4/debian/rules --- gallery2-2.2.4/debian/rules 2008-04-06 02:29:15.0 +0200 +++ gallery2-2.2.4/debian/rules 2008-04-06 02:29:47.0 +0200 @@ -43,6 +43,12 @@ esac \ fi \ done + # remove shipped stuff + rm -rf $(GDIR)/lib/smarty + rm -rf $(GDIR)/lib/adodb + # add links + dh_link usr/share/php/smarty/libs usr/share/gallery2/lib/smarty + dh_link usr/share/php/adodb usr/share/gallery2/lib/adodb install -m 644 debian/apache.conf $(GCONFDIR) build: pgpxBiK8EcMfK.pgp Description: PGP signature