Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
On Wed, Sep 08, 2010 at 04:58:21PM -0400, Joey Hess wrote:
Incoming code of possible security significance should be reviewed for
at least common classes of security holes. Instead, we get a thread where
the ITPer is required to prove that nothing in Debian can do what his
package does.
You got me. I'm convinced by these arguments.
Still, they account for a possibly inflated perception of the trade-off
between security *risks* and the benefits of having a new package in the
archive. That trade-off is not the same as the trade-off between
security *work* and the benefits of introducing a new package. That is
to say that arguably the security team will have to fix anyhow a
security fix in woof, even if its impact is much lower than the impact
of a security hole exploitable in the default Apache configuration.
But once more you're right: it is not up to us here to say which
packages are acceptable from the POV of the security team. I can just
comment that my, probably inflated, perception of the extra burden is
not based only on my personal beliefs. My perception is also based on
past comments (and talks) on the subject by the security team, where the
yet another web server example was frequently cited, at least in my
recalling.
I also agree that the default mood (or culture as you call it) against
ITPs is probably excessive, but we should not give up on requiring
adherences to best ITP practices. In particular, a review of
alternatives available in the archive is something I do expect from
ITP-ers of *any* software, whether it's security-sensitive or not.
Similarly, documenting in the long description reasons for choosing the
package over its alternatives is something to be expected as well. For
woof, it might be written as simply as you just did, but it's still
something this ITP is waiting for.
Bottom line: this thread could have probably been spared entirely, by
providing a long description matching the above criteria since the
beginning.
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, | . |. I've fans everywhere
ti resta John Fante -- V. Caposella ...| ..: |.. -- C. Adams
signature.asc
Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Long Description: Woof (Web Offer One File) is a tool to copy files between hosts. It can serve a specified file on HTTP,just for a given number of times, and then shutdown. It can be easily used to share files across the computers on a net, and given that the other ends should have just a browser, it can share stuff between different operating system, or different devices (e.g.: a smartphone). It can also show a simple html form in order to upload a file. About the question raised by zack (i.e: which singolar features has woof in respect to other packages), * if I understood correctly webfs is a one-way only, and doesn't support the shutdown after a single transfer. * webworf instead, as said by Salvo in his mail, doesn't limit the number of connection (still no shutdown after n transfers, doesn't give an archive of a directory, and use PUT for uploads (i.e. less support for browser interaction) bye -- -gaspa- --- https://launchpad.net/~gaspa - - HomePage: http://gaspa.yattaweb.it -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
On Wed, Sep 08, 2010 at 08:03:14PM +0200, Salvo Tomaselli wrote:
This would already reduce the load on the FTP, release and security
teams, and allow their members to do more useful things.
And would lead many people to choose other distributions that offer more than
merely core packages.
Salvo, I do appreciate how much you care about this package, but I don't
think the past, say, 15 messages of lateral discussion in this thread
have helped at all the cause of woof. I'm of course biased, but I've the
impression that the main points to be addressed are still the one raised
in my earlier post in this thread.
That is: considering that introducing a new web server in the archive
will potentially increase the work of the security team, it must be
worth. To verify it is worth or not there is only one way: perform a
thorough review of alternatives already present in the archive and point
out the unique features (of all kind, including user interface
difference) of woof with respect to them. Bonus points: mention those
unique feature in the long description as help for sysadms having to
choose woof among others.
I haven't yet seen either you, or the ITP-er, or anyone else doing that
and I've the impression you'll be getting nowhere until that is done.
/me and his last post on this thread
Cheers.
PS As a not very thorough personal suggestion of mine, and after a bit
of Googling, I'd start from the webfs package to document what more
woof has to offer.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, | . |. I've fans everywhere
ti resta John Fante -- V. Caposella ...| ..: |.. -- C. Adams
signature.asc
Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Stefano Zacchiroli wrote: That is: considering that introducing a new web server in the archive will potentially increase the work of the security team, it must be worth. You know, introducing any package that is capable of network traffic in either direction can potentially increase the work of the security team. What this thread appears to be missing is any acknowledgement of the degrees of potential security impact that exist between apache and say, wget. An exploitable hole in apache's default configuration has the impact of massive worms doing real damage to the internet and exposing vast amounts of information to black hats, etc. Organisations exist that will pay a nice sum of money for zero-day access to such a security hole. An exploitable hole in wget is likely only exploitable in theory, or with much effort and luck. I doubt you could find anyone who'd pay you $10 for zero-day access to such a hole. The woof package seems likely to have a total security impact that is actually less than wget, since fewer people will be using it, and its use will be limited to more peer-to-peer situations. I have found a security hole in woof. How much will someone pay me to disclose it? [1] AFAICS, woof is unique in both its strategy of serving a file only 1 (or N times), and its trivial command-line invocation on a single file. I'd use it. Incoming code of possible security significance should be reviewed for at least common classes of security holes. Instead, we get a thread where the ITPer is required to prove that nothing in Debian can do what his package does. Personally, I feel that our culture of ripping ITPs to shreds has gone too far, and needs to be reigned in, while our culture of actual, useful security impact analysis and review is stunted. -- see shy jo, who has written a small, stupid, badly designed web server with no unique or redeeming features, and gotten it into Debian :P [1] I've emailed the author, so it won't be zero-day for long. Buy now! signature.asc Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
On Sep 07, Andrea Gasparini ga...@yattaweb.it wrote: Brian, it lacks the long description, right, we'll provide one asap. Though, it serves just one file a given number of times, and then shutdown. It's something useful for distributing file in a LAN, if you don't want to install and setup a complete/complex webserver. Installing lighttpd or something like it requires much less time than learning the existence of this one. -- ciao, Marco signature.asc Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Andrea Colangelo wrote, Tuesday 07 September 2010 * URL : http://www.home.unix-ag.org/simon/ http://www.home.unix-ag.org/simon/woof.html Josselin Mouette wrote, Tuesday 07 September 2010: Oh yeah. We didn’t have enough webservers in the archive. Joss, you could even be right, but that doesn't seem the best way to state your thoughts. WIth this tone I guess the OP wouldn't simply consider your mail. brian m. carlson wrote, Tuesday 07 September 2010: We have a lot of web servers in Debian. Could you provide a long description for the package that helps an adminstrator decide why she might want to install woof instead of some other lightweight web server? Brian, it lacks the long description, right, we'll provide one asap. Though, it serves just one file a given number of times, and then shutdown. It's something useful for distributing file in a LAN, if you don't want to install and setup a complete/complex webserver. Mauro Lizaur wrote, Tuesday 07 September 2010: Such as: $ python -m SimpleHTTPServer [port] Thanks Mauro, we could drop all our webservers, now. :) Bye! -- -gaspa- --- https://launchpad.net/~gaspa - - HomePage: http://gaspa.yattaweb.it -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
On Tuesday 07 September 2010 00:22:26 brian m. carlson wrote: We have a lot of web servers in Debian. Could you provide a long description for the package that helps an adminstrator decide why she might want to install woof instead of some other lightweight web server? I maintain a similar package (weborf), but yet with some differences. Weborf uses a basedirectory param while woof can use a directory or a file. Weborf will not limit the number of connections. Woof would tar a directory and weborf would produce an html list of files. Weborf does not support file upload in the same way. The user would be forced to use a CGI script. Or, weborf supports the PUT method, but no browser does. Weborf is also meant to be used as a normal webserver, and woof is not. I think the upload option and the tar of directory are quite convenient. Bye -- Salvo Tomaselli signature.asc Description: This is a digitally signed message part.
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Le mardi 07 septembre 2010 à 10:25 +0200, Salvo Tomaselli a écrit : I maintain a similar package (weborf), but yet with some differences. Weborf uses a basedirectory param while woof can use a directory or a file. Weborf will not limit the number of connections. Woof would tar a directory and weborf would produce an html list of files. Weborf does not support file upload in the same way. The user would be forced to use a CGI script. Or, weborf supports the PUT method, but no browser does. Weborf is also meant to be used as a normal webserver, and woof is not. I think the upload option and the tar of directory are quite convenient. Oh, please. If you want to setup such schemes, why would you not want to spend 5 minutes to configure apache or lighttpd instead of spending at least the same time to configure such an obscure piece of software? If all you care about is sharing a few files in the simplest way, there are much better tools to do it, like gnome-user-share. -- .''`. : :' : “You would need to ask a lawyer if you don't know `. `' that a handshake of course makes a valid contract.” `--- J???rg Schilling -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
[ adding back the ITP to Cc: ]
On Tue, Sep 07, 2010 at 10:56:15AM +0200, Salvo Tomaselli wrote:
The default installation of lighttpd would put itself in the autostart, maybe
i just wanted to share a file and it would take time for me to change the
configuration for avoiding autostart and create a new config file. And of
course i should also know how to do that.
Fair enough. Note that nobody here is saying thou shall not package
this. We are just very cautious because adding a new web server to the
archive might easily become a security PITA (ask the security team for
some horror stories on the subject of yet another web server). So what
we are saying is just that it should be worth it wrt other software
offerings already in the archive.
On a related topic, please remember that long descriptions are meant to
help sysadms to decide whether they want to install a package or not. In
this specific case, and giving the availability of competitor tools,
your long description should explain why one might want to prefer woof
over other packages.
If I were the packager, I would skim through the output of debtags
search web::server and try to convince myself that the new one I'm
adding really has distinguishing features (things like ease of
configuration might of course qualify as a features). Once done, I
would mention my reasons in the long description. ... and that's also
why it's wise to have long descriptions ready at ITP-submission time:
thread like this one might have been avoided completely, thanks to a
convincing long description :-)
Thanks for your packaging work!
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, | . |. I've fans everywhere
ti resta John Fante -- V. Caposella ...| ..: |.. -- C. Adams
signature.asc
Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
apt-cache show sendfile gerstensaft signature.asc Description: This is a digitally signed message part.
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
2010-09-07, Stefano Zacchiroli: [ adding back the ITP to Cc: ] On Tue, Sep 07, 2010 at 10:56:15AM +0200, Salvo Tomaselli wrote: The default installation of lighttpd would put itself in the autostart, maybe i just wanted to share a file and it would take time for me to change the configuration for avoiding autostart and create a new config file. And of course i should also know how to do that. Fair enough. Note that nobody here is saying thou shall not package this. We are just very cautious because adding a new web server to the archive might easily become a security PITA (ask the security team for some horror stories on the subject of yet another web server). So what we are saying is just that it should be worth it wrt other software offerings already in the archive. On a related topic, please remember that long descriptions are meant to help sysadms to decide whether they want to install a package or not. In this specific case, and giving the availability of competitor tools, your long description should explain why one might want to prefer woof over other packages. +1 [plus] 2010-09-07, Andrea Gasparini: Such as: $ python -m SimpleHTTPServer [port] Thanks Mauro, we could drop all our webservers, now. :) I guess we could, but it wouldn't be a very smart move to be honest. Please, read the paragraphs written by Stefano, he made some interesting points. Also what I meant with that line was that when I need to copy a file to (let's say) my cellphone in a simple (and/or stupid) way, this can easily be achieved with that Python module. But at the same time, waiting for you to answer the question we all have: What does it do? Proptip: Perhaps the usage of the following words might help you to convince us all. * scalable (This one is a sure-shot) * non-blocking * über-fast * «web2.0 ready» (I guess this one is kinda demodé these days anyway) * «Sarcasm inside» (Hope Intel doesn't get mad over this) Saludos, Mauro -- JID: lavaram...@nube.usla.org.ar | http://lizaur.github.com/ 2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Hi all, I've been using woof for quite a bit of time now, and I find it very useful. It's not meant as a substitute for a full-fledged webserver, it's a tool to transfer files to/from other computers and devices. I find it quite handy and simple, and I don't know of any other tool with a comparable feature set for this particular task (though of course there may be one I don't know). This is a list of features that differentiate it from other solutions, AFAIK: - No special software needed on the client side, a browser suffices (as opposed to scp or FTP); - No configuration needed; - Always-off functioning: the web server starts when invoked and stops after one (or more) transfers; - No directory layout requirement, can serve from anywhere in the file system; - Simple command line: woof file - Serves tar archives of directories (no need to archive the files in advance); - Can be used for receiving files (again, only web browser needed on the client side). Clearly a real web server is not a substitute for this usage. Woof is also easier to use and more powerful than SimpleHTTPServer. I don't know whether there are other packages that already subsume woof functionality. Bye, Andrea -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Package: wnpp Severity: wishlist Owner: Andrea Colangelo war...@ubuntu.com * Package name: woof Version : 2009.12.27 Upstream Author : Simon Budig si...@budig.de * URL : http://www.home.unix-ag.org/simon/ * License : GPL2 Programming Lang: Python Description : A small, simple, stupid webserver to share files -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
Le lundi 06 septembre 2010 à 23:55 +0200, Andrea Colangelo a écrit : Package: wnpp Severity: wishlist Owner: Andrea Colangelo war...@ubuntu.com * Package name: woof Version : 2009.12.27 Upstream Author : Simon Budig si...@budig.de * URL : http://www.home.unix-ag.org/simon/ * License : GPL2 Programming Lang: Python Description : A small, simple, stupid webserver to share files Oh yeah. We didn’t have enough webservers in the archive. -- .''`. Josselin Mouette : :' : `. `' “If you behave this way because you are blackmailed by someone, `-[…] I will see what I can do for you.” -- Jörg Schilling -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
On Mon, Sep 06, 2010 at 11:55:51PM +0200, Andrea Colangelo wrote: * Package name: woof Version : 2009.12.27 Upstream Author : Simon Budig si...@budig.de * URL : http://www.home.unix-ag.org/simon/ * License : GPL2 Programming Lang: Python Description : A small, simple, stupid webserver to share files We have a lot of web servers in Debian. Could you provide a long description for the package that helps an adminstrator decide why she might want to install woof instead of some other lightweight web server? -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Bug#595820: ITP: woof -- A small, simple, stupid webserver to share files
2010-09-06, brian m. carlson: On Mon, Sep 06, 2010 at 11:55:51PM +0200, Andrea Colangelo wrote: * Package name: woof Version : 2009.12.27 Upstream Author : Simon Budig si...@budig.de * URL : http://www.home.unix-ag.org/simon/ * License : GPL2 Programming Lang: Python Description : A small, simple, stupid webserver to share files We have a lot of web servers in Debian. Could you provide a long description for the package that helps an adminstrator decide why she might want to install woof instead of some other lightweight web server? Such as: $ python -m SimpleHTTPServer [port] Saludos, Mauro -- JID: lavaram...@nube.usla.org.ar | http://lizaur.github.com/ 2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
