Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 6 May 2011, Chris Warburton wrote: On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote: On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote: On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: Programming Lang: PHP Description : ocPortal is a Content Management System for building and maintaining a dynamic website How many content management systems written in php does Debian need? It's not kool that you didn't even ask about how good it is. Maybe it's better than whatever exists in Debian currently, have you checked? My point is your question isn't helpful. It smacks of flaming. The question I should have asked is what is it's security record like. This is an area that's rife with applications that have 'poor' security records. Adding more to that pile would be an unfortunate burden on the security team. That's probably the most significant of the project wide costs adding a package like this brings with it. Scott K Hi Scott. ocPortal isn't massively widespread compared to other systems, so there's obviously less experimental proof of security. We had a security hole a few years ago; this was before I got involved, but there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms Hi Chris and the ITP and debian-devel, I think that if you are willing to work to make this a high-quality package, and be a responsive maintainer to bugs reported by users, I think it will be great to have you maintain it in Debian. The security work that you've described sounds great, and I hope that other PHP app upstreams hold their apps to such a high standard. If not, maybe you can use your tools to start filing bugs left and right against them. (-: For that reason, I will review your packaging when it's ready, and sponsor it into Debian if it passes muster. Keep me posted. -- -- Asheesh. http://asheesh.org/ Life is to you a dashing and bold adventure. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1105071405370.7...@rose.makesad.us
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Saturday 07 May 2011 09:41:34 Raphael Hertzog wrote: > Hi, Hi, > On Fri, 06 May 2011, George Danchev wrote: > > * writing a meaningful ITP helps to grab attention, especially if there > > are multiple alternatives. Prove your point (ref: I'm upstream and I > > want to maintain it, doesn't magically buy you a slot into the archive) > > There's nothing to buy... only people offering to maintain packages in > Debian. But we should certainly not turn out upstream who are willing to > maintain the package in Debian. > > In fact I want more upstream involved in Debian! I didn't write exactly that. You simply twisted the meaning of what I wrote. Please, re-read, the keyword is *magically*. > (Unless someone does a serious review and has enough credit to convince > many people that the software is crap and would really be a big burden) We will accumulate tons of PHP CMSes that way, which doesn't seem to scale. In case of multiple alternatives, I'd rather prefer inclusion if enough arguments exist that it is better than already included ones. > > * writing lengthy rebuttals for well known facts from the past are quite > > unlikely, people has more important things to do. > > We're not speaking of lengthy rebuttals. I agree with Tshepang that the > answers were rather aggressive when you consider that you speak with > someone who is starting in the Debian community. > > Something like this would have perfectly done the job: > "We already have many PHP CMS in the archive, what does this one offer > that the other don't? Also PHP software tends to have a bad security track > record, is ocPortal any better in that regard?" That would have been better. I agree. > > * recognize the fact when someone says that chances are high you are > > about to be wasting your own time packaging $something. > > Everybody is free to do what they want with their own time, so you should > certainly not say anyone that they are wasting their time. If you believe > they are, you can certainly hint at better alternatives and let people > see by themselves if they wish to spend their time differently now that > they know of a possible alternative. Okay, I just gave a hint from my mind, let's see what happens. -- pub 4096R/0E4BD0AB -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105071036.51004.danc...@spnet.net
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Hi, On Fri, 06 May 2011, George Danchev wrote: > * writing a meaningful ITP helps to grab attention, especially if there are > multiple alternatives. Prove your point (ref: I'm upstream and I want to > maintain it, doesn't magically buy you a slot into the archive) There's nothing to buy... only people offering to maintain packages in Debian. But we should certainly not turn out upstream who are willing to maintain the package in Debian. In fact I want more upstream involved in Debian! (Unless someone does a serious review and has enough credit to convince many people that the software is crap and would really be a big burden) > * writing lengthy rebuttals for well known facts from the past are quite > unlikely, people has more important things to do. We're not speaking of lengthy rebuttals. I agree with Tshepang that the answers were rather aggressive when you consider that you speak with someone who is starting in the Debian community. Something like this would have perfectly done the job: "We already have many PHP CMS in the archive, what does this one offer that the other don't? Also PHP software tends to have a bad security track record, is ocPortal any better in that regard?" > * recognize the fact when someone says that chances are high you are about to > be wasting your own time packaging $something. Everybody is free to do what they want with their own time, so you should certainly not say anyone that they are wasting their time. If you believe they are, you can certainly hint at better alternatives and let people see by themselves if they wish to spend their time differently now that they know of a possible alternative. Cheers, -- Raphaël Hertzog ◈ Debian Developer Follow my Debian News ▶ http://RaphaelHertzog.com (English) ▶ http://RaphaelHertzog.fr (Français) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110507064134.gc...@rivendell.home.ouaza.com
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 06 May 2011, Chris Warburton wrote: > Hi Scott. ocPortal isn't massively widespread compared to other systems, > so there's obviously less experimental proof of security. We had a > security hole a few years ago; this was before I got involved, but > there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms > > Official ocPortal releases are managed by ocProducts, a company set up > around ocPortal (and who pay my salary), and we have a clear security > policy which can be found here > http://ocportal.com/site/maintenance.htm . > > We also regularly run static code analysis tools on the codebase and we > test every release with a hacked PHP runtime that 1) triggers errors if > strings are not explicitly sanitised before going through eval, getting > echoed to a browser or being entered into a database, and 2) enforces a > type system on variables and function calls (based on type signatures > written into the PHPdoc of every function), and raises an error if there > is a type mismatch. I actually run this hacked PHP on my system in place > of the distro's own. > > If there are specific security concerns I'd be happy to address them. This is a better security policy than most PHP packages we have in the archive. That alone is grounds enough to allow ocportal in IMO. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506211121.gb7...@khazad-dum.debian.net
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, May 06, 2011 at 08:33:27PM +0200, Tshepang Lekhonkhobe wrote: > I'm curious though, why is there an objection against CMS inclusions in > general? When there are many packages which provide similar functionality (whether that is a CMS, a window manager, or whatever) then it's reasonable to ask what the features are for one that will be added to the archive and what makes it better than the alternatives. It happens on occasion that a packager may decide that there is a better tool for their needs and use that instead. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Friday 06 May 2011 20:30:32 Tshepang Lekhonkhobe wrote: > On Fri, 2011-05-06 at 20:03 +0300, George Danchev wrote: > > On Friday 06 May 2011 19:39:26 Tshepang Lekhonkhobe wrote: > > > On Fri, 2011-05-06 at 13:24 -0300, Ben Armstrong wrote: > > > > On 05/06/2011 12:14 PM, Tshepang Lekhonkhobe wrote: > > > > > Q: How many content management systems written in php does Debian > > > > > need? A: How about zero? > > > > > > > > > > Not exactly helpful. > > > > > > > > When developers are passionately opposed to a particular technology > > > > (and not without reason here, I think,) they can be a bit blunt in > > > > expressing it. The list of these goes on and on ... and while I > > > > certainly would be more polite myself about expressing reservations > > > > about adding any more, I'm not going to fault others for expressing > > > > their dissent. The way you expressed your support seemed to me to > > > > gloss over the real cost of adding a new package to the archive > > > > without any coherent argument as to why this particular one was > > > > going to be no trouble at all (and/or worth the trouble because it's > > > > so special). > > > > > > Strange that you read 'support' into my responses. Actually I have > > > never even heard of the proposed package, but that's not the point. I > > > even mentioned that if the package sucketh (if the guy proposing it > > > proves unreliable), then it can either remain in Unstable or be > > > removed. > > > > Upload to 'unstable' and see how it goes could be quite suboptimal > > tactics most of the time. I'm not talking about that particular package, > > but not every package which flies in the free software skies deserves to > > be in Debian archive in my own opinion. Inclusions costs human time. > > I am not opposed to this. But again, that was not the point. Point was > automatic 'should not be in Debian' without giving reasons. And if > maintainer is willing to be on top of things, what extra work is there > for anyone, except those handling NEW? > > > > You don't just blatantly oppose Debian inclusion without mentioning > > > why. The great Josselin Mouette (yes, I really respect this guy for > > > his tireless GNOME maintenance) just did that, and the rest of us are > > > supposed to magically possess the history of PHP in Debian, and laugh > > > it off. > > > > > > And no, you should fault others for expressing their dissent in this > > > unproductive manner. > > > > Well, maybe if you look at that from a different angle, you can find it > > productive as in: don't spend your time packaging that particular one, as > > chances are very low for upload. > > I don't understand what you are saying here. My point was the manner in > which the response was made. I used the word 'productive' because the > guy wasn't saying why he was objecting to this particular package. Here are some points to consider: * responsible for the uploads and overall package quality is the one whose key is in debian-keyring and who actually uploads the package, obviously. * writing a meaningful ITP helps to grab attention, especially if there are multiple alternatives. Prove your point (ref: I'm upstream and I want to maintain it, doesn't magically buy you a slot into the archive) * writing lengthy rebuttals for well known facts from the past are quite unlikely, people has more important things to do. * recognize the fact when someone says that chances are high you are about to be wasting your own time packaging $something. If someone capable uploads it since it is found to be useful for whatever reason that's fine, which is unlikely imo, otherwise it is a waste of human time. -- pub 4096R/0E4BD0AB -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105062146.40571.danc...@spnet.net
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 14:54 -0300, Ben Armstrong wrote: > On 05/06/2011 02:39 PM, Tshepang Lekhonkhobe wrote: > > I was responding to someone who said I 'supported' inclusion of proposed > > package. > > Ah, I misunderstood. My apologies. Welcome. > > Yeah, good point. So it's not enough for packager to say he will be > > responsive to problems? > > Packages, once uploaded, enter the Debian ecosystem and therefore > involve some time from many others: the security team, the ftpmasters, > the release managers, BSP participants, etc. as well as consuming > resources (archive space, autobuild time, etc.) So the cost needs to be > justified by the value to Debian. If there is no perceived value, the > package should not be added to the archive. Understood, but what's so hard about removing a package that's unloved (and moving it to some unofficial repository)? > > As I've mentioned elsewhere on this thread, it's not kool to just say > > 'no', without stating why. > > Huh. I thought Joss did say why. It's a CMS. It's PHP. That's why. :) > (and maybe that's not enough for you, but those are reasons *I* wouldn't > invest time in such an endeavour.) Actually he didn't say why. It might be implied, but not all of us know the guy well enough to know what he means. I'm curious though, why is there an objection against CMS inclusions in general? > > I'm lost there. What you mean about the mirror thing, and about the > > sarcasm thing? Where did I use sarcasm? > > If referring to Joss as "The great Josselin Mouette" was sincere and not > sarcasm, then my mistake. It had the appearance of a jab. I tried to avoid that by mentioning why I called him great. Here's more: His tireless work on Debian GNOME packaging impresses me, and that's my favorite desktop. He appears to me the most visible member of the team. I trust him to help build a solid GNOME desktop, and that's not exactly a trivial task. He's one of Debian legends. Such excellence makes it even more sad when he gets this unproductive. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304706807.20397.48.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On 05/06/2011 02:39 PM, Tshepang Lekhonkhobe wrote: > I was responding to someone who said I 'supported' inclusion of proposed > package. Ah, I misunderstood. My apologies. > Yeah, good point. So it's not enough for packager to say he will be > responsive to problems? Packages, once uploaded, enter the Debian ecosystem and therefore involve some time from many others: the security team, the ftpmasters, the release managers, BSP participants, etc. as well as consuming resources (archive space, autobuild time, etc.) So the cost needs to be justified by the value to Debian. If there is no perceived value, the package should not be added to the archive. > As I've mentioned elsewhere on this thread, it's not kool to just say > 'no', without stating why. Huh. I thought Joss did say why. It's a CMS. It's PHP. That's why. :) (and maybe that's not enough for you, but those are reasons *I* wouldn't invest time in such an endeavour.) > I'm lost there. What you mean about the mirror thing, and about the > sarcasm thing? Where did I use sarcasm? If referring to Joss as "The great Josselin Mouette" was sincere and not sarcasm, then my mistake. It had the appearance of a jab. Ben -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc435dd.7010...@debian.org
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 13:56 -0300, Ben Armstrong wrote: > We can stop CCing the bug# now, as this subthread is apparently no > longer about the ITP itself, but about "proper" conduct in discussing an > ITP. > > On 05/06/2011 01:39 PM, Tshepang Lekhonkhobe wrote: > > Strange that you read 'support' into my responses. > > By support, I hope you understand I mean the Debian project > infrastructure cost of adding another package to the archive, not user > support. That was my sole objection. Your statement here is what made me > jump in and speak up: I was responding to someone who said I 'supported' inclusion of proposed package. > > It's always convenient to have a package in > > Debian, instead of hunting for it upstream. If it rots in Debian, then > > it can easily be removed again (or left in Unstable). > > I strongly disagree. Every addition to the archive must be justified. > Your defense seemed implicitly to hinge on "zero cost" of adding a new > one (i.e. convenience trumps other concerns). Yeah, sure. I agree. My mistake. > > Actually I have never > > even heard of the proposed package, but that's not the point. I even > > mentioned that if the package sucketh (if the guy proposing it proves > > unreliable), then it can either remain in Unstable or be removed. > > That's putting the quality control on the wrong end. Nobody gets to > spend our time keeping a package in the archive as a trial of whether > it's good or not. We need to justify its inclusion first. Yeah, good point. So it's not enough for packager to say he will be responsive to problems? > > And no, you should fault others for expressing their dissent in this > > unproductive manner. > > I should? Or maybe you should read it for what it clearly is, a blunt > "minus one" vote due to the technology it's based on. And while you > write your sarcasm-tinged replies calling down other developers for > using the wrong tone, why don't you look in the mirror? As I've mentioned elsewhere on this thread, it's not kool to just say 'no', without stating why. I'm lost there. What you mean about the mirror thing, and about the sarcasm thing? Where did I use sarcasm? -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304703565.20397.34.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 20:03 +0300, George Danchev wrote: > On Friday 06 May 2011 19:39:26 Tshepang Lekhonkhobe wrote: > > On Fri, 2011-05-06 at 13:24 -0300, Ben Armstrong wrote: > > > On 05/06/2011 12:14 PM, Tshepang Lekhonkhobe wrote: > > > > Q: How many content management systems written in php does Debian need? > > > > A: How about zero? > > > > > > > > Not exactly helpful. > > > > > > When developers are passionately opposed to a particular technology (and > > > not without reason here, I think,) they can be a bit blunt in expressing > > > it. The list of these goes on and on ... and while I certainly would be > > > more polite myself about expressing reservations about adding any more, > > > I'm not going to fault others for expressing their dissent. The way you > > > expressed your support seemed to me to gloss over the real cost of > > > adding a new package to the archive without any coherent argument as to > > > why this particular one was going to be no trouble at all (and/or worth > > > the trouble because it's so special). > > > > Strange that you read 'support' into my responses. Actually I have never > > even heard of the proposed package, but that's not the point. I even > > mentioned that if the package sucketh (if the guy proposing it proves > > unreliable), then it can either remain in Unstable or be removed. > > Upload to 'unstable' and see how it goes could be quite suboptimal tactics > most of the time. I'm not talking about that particular package, but not > every > package which flies in the free software skies deserves to be in Debian > archive > in my own opinion. Inclusions costs human time. I am not opposed to this. But again, that was not the point. Point was automatic 'should not be in Debian' without giving reasons. And if maintainer is willing to be on top of things, what extra work is there for anyone, except those handling NEW? > > You don't just blatantly oppose Debian inclusion without mentioning why. > > The great Josselin Mouette (yes, I really respect this guy for his > > tireless GNOME maintenance) just did that, and the rest of us are > > supposed to magically possess the history of PHP in Debian, and laugh it > > off. > > > > And no, you should fault others for expressing their dissent in this > > unproductive manner. > > Well, maybe if you look at that from a different angle, you can find it > productive as in: don't spend your time packaging that particular one, as > chances are very low for upload. I don't understand what you are saying here. My point was the manner in which the response was made. I used the word 'productive' because the guy wasn't saying why he was objecting to this particular package. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304703032.20397.27.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
We can stop CCing the bug# now, as this subthread is apparently no longer about the ITP itself, but about "proper" conduct in discussing an ITP. On 05/06/2011 01:39 PM, Tshepang Lekhonkhobe wrote: > Strange that you read 'support' into my responses. By support, I hope you understand I mean the Debian project infrastructure cost of adding another package to the archive, not user support. That was my sole objection. Your statement here is what made me jump in and speak up: > It's always convenient to have a package in > Debian, instead of hunting for it upstream. If it rots in Debian, then > it can easily be removed again (or left in Unstable). I strongly disagree. Every addition to the archive must be justified. Your defense seemed implicitly to hinge on "zero cost" of adding a new one (i.e. convenience trumps other concerns). > Actually I have never > even heard of the proposed package, but that's not the point. I even > mentioned that if the package sucketh (if the guy proposing it proves > unreliable), then it can either remain in Unstable or be removed. That's putting the quality control on the wrong end. Nobody gets to spend our time keeping a package in the archive as a trial of whether it's good or not. We need to justify its inclusion first. > And no, you should fault others for expressing their dissent in this > unproductive manner. I should? Or maybe you should read it for what it clearly is, a blunt "minus one" vote due to the technology it's based on. And while you write your sarcasm-tinged replies calling down other developers for using the wrong tone, why don't you look in the mirror? Ben -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc4283b.3090...@debian.org
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Friday 06 May 2011 19:39:26 Tshepang Lekhonkhobe wrote: > On Fri, 2011-05-06 at 13:24 -0300, Ben Armstrong wrote: > > On 05/06/2011 12:14 PM, Tshepang Lekhonkhobe wrote: > > > Q: How many content management systems written in php does Debian need? > > > A: How about zero? > > > > > > Not exactly helpful. > > > > When developers are passionately opposed to a particular technology (and > > not without reason here, I think,) they can be a bit blunt in expressing > > it. The list of these goes on and on ... and while I certainly would be > > more polite myself about expressing reservations about adding any more, > > I'm not going to fault others for expressing their dissent. The way you > > expressed your support seemed to me to gloss over the real cost of > > adding a new package to the archive without any coherent argument as to > > why this particular one was going to be no trouble at all (and/or worth > > the trouble because it's so special). > > Strange that you read 'support' into my responses. Actually I have never > even heard of the proposed package, but that's not the point. I even > mentioned that if the package sucketh (if the guy proposing it proves > unreliable), then it can either remain in Unstable or be removed. Upload to 'unstable' and see how it goes could be quite suboptimal tactics most of the time. I'm not talking about that particular package, but not every package which flies in the free software skies deserves to be in Debian archive in my own opinion. Inclusions costs human time. > You don't just blatantly oppose Debian inclusion without mentioning why. > The great Josselin Mouette (yes, I really respect this guy for his > tireless GNOME maintenance) just did that, and the rest of us are > supposed to magically possess the history of PHP in Debian, and laugh it > off. > > And no, you should fault others for expressing their dissent in this > unproductive manner. Well, maybe if you look at that from a different angle, you can find it productive as in: don't spend your time packaging that particular one, as chances are very low for upload. -- pub 4096R/0E4BD0AB -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105062003.43593.danc...@spnet.net
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On 05/06/2011 12:14 PM, Tshepang Lekhonkhobe wrote: > Q: How many content management systems written in php does Debian need? > A: How about zero? > > Not exactly helpful. When developers are passionately opposed to a particular technology (and not without reason here, I think,) they can be a bit blunt in expressing it. The list of these goes on and on ... and while I certainly would be more polite myself about expressing reservations about adding any more, I'm not going to fault others for expressing their dissent. The way you expressed your support seemed to me to gloss over the real cost of adding a new package to the archive without any coherent argument as to why this particular one was going to be no trouble at all (and/or worth the trouble because it's so special). Ben -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc420c1.2080...@debian.org
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 13:24 -0300, Ben Armstrong wrote: > On 05/06/2011 12:14 PM, Tshepang Lekhonkhobe wrote: > > Q: How many content management systems written in php does Debian need? > > A: How about zero? > > > > Not exactly helpful. > > When developers are passionately opposed to a particular technology (and > not without reason here, I think,) they can be a bit blunt in expressing > it. The list of these goes on and on ... and while I certainly would be > more polite myself about expressing reservations about adding any more, > I'm not going to fault others for expressing their dissent. The way you > expressed your support seemed to me to gloss over the real cost of > adding a new package to the archive without any coherent argument as to > why this particular one was going to be no trouble at all (and/or worth > the trouble because it's so special). Strange that you read 'support' into my responses. Actually I have never even heard of the proposed package, but that's not the point. I even mentioned that if the package sucketh (if the guy proposing it proves unreliable), then it can either remain in Unstable or be removed. You don't just blatantly oppose Debian inclusion without mentioning why. The great Josselin Mouette (yes, I really respect this guy for his tireless GNOME maintenance) just did that, and the rest of us are supposed to magically possess the history of PHP in Debian, and laugh it off. And no, you should fault others for expressing their dissent in this unproductive manner. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304699966.20397.23.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote: > On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote: > > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > > Programming Lang: PHP > > > > Description : ocPortal is a Content Management System for > > > > building > > > > > > > > and maintaining a dynamic website > > > > > > How many content management systems written in php does Debian need? > > > > It's not kool that you didn't even ask about how good it is. Maybe it's > > better than whatever exists in Debian currently, have you checked? My > > point is your question isn't helpful. It smacks of flaming. > > The question I should have asked is what is it's security record like. This > is an area that's rife with applications that have 'poor' security records. > Adding more to that pile would be an unfortunate burden on the security team. > > That's probably the most significant of the project wide costs adding a > package > like this brings with it. > > Scott K Hi Scott. ocPortal isn't massively widespread compared to other systems, so there's obviously less experimental proof of security. We had a security hole a few years ago; this was before I got involved, but there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms Official ocPortal releases are managed by ocProducts, a company set up around ocPortal (and who pay my salary), and we have a clear security policy which can be found here http://ocportal.com/site/maintenance.htm . We also regularly run static code analysis tools on the codebase and we test every release with a hacked PHP runtime that 1) triggers errors if strings are not explicitly sanitised before going through eval, getting echoed to a browser or being entered into a database, and 2) enforces a type system on variables and function calls (based on type signatures written into the PHPdoc of every function), and raises an error if there is a type mismatch. I actually run this hacked PHP on my system in place of the distro's own. If there are specific security concerns I'd be happy to address them. Thanks, Chris Warburton -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304697369.20621.51.camel@linuxfedora
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 17:14 +0200, Tshepang Lekhonkhobe wrote: > On Fri, 2011-05-06 at 11:00 -0300, Ben Armstrong wrote: > > On 05/06/2011 10:49 AM, Tshepang Lekhonkhobe wrote: > > > What's up with the hate? It's always convenient to have a package in > > > Debian, instead of hunting for it upstream. If it rots in Debian, then > > > it can easily be removed again (or left in Unstable). > > > > Wrong. Every additional package costs the whole Debian project in > > numerous ways. That's why we have these discussions up front on all > > ITPs, so objections can be voiced. > > Q: How many content management systems written in php does Debian need? > A: How about zero? > > Not exactly helpful. > > That was before discussing if the guy filling the ITP mentioned his > readiness to respond to any RC bugs. > I should probably point out that I am an upstream ocPortal developer, so I should be as capable as anyone in fixing technical bugs, and as a long-time Debian user I don't count Debian bugs as any less important than core ocPortal bugs. With this said, I'm obviously incapable of some things. As an example, ocPortal uses "swfupload" which may require me to wait on ITP bug #609110, although I don't mind taking over its packaging if its activity has ceased (I'm not familiar with the protocol for handling such cases). Thanks, Chris Waburton -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304696077.20621.37.camel@linuxfedora
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote: > On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote: > > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > > Programming Lang: PHP > > > > Description : ocPortal is a Content Management System for > > > > building > > > > > > > > and maintaining a dynamic website > > > > > > How many content management systems written in php does Debian need? > > > > It's not kool that you didn't even ask about how good it is. Maybe it's > > better than whatever exists in Debian currently, have you checked? My > > point is your question isn't helpful. It smacks of flaming. > > The question I should have asked is what is it's security record like. This > is an area that's rife with applications that have 'poor' security records. > Adding more to that pile would be an unfortunate burden on the security team. > > That's probably the most significant of the project wide costs adding a > package > like this brings with it. Thanks for putting your objection in a more readable/friendly form. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304697006.20397.12.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote: > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > Programming Lang: PHP > > > Description : ocPortal is a Content Management System for > > > building > > > > > > and maintaining a dynamic website > > > > How many content management systems written in php does Debian need? > > It's not kool that you didn't even ask about how good it is. Maybe it's > better than whatever exists in Debian currently, have you checked? My > point is your question isn't helpful. It smacks of flaming. The question I should have asked is what is it's security record like. This is an area that's rife with applications that have 'poor' security records. Adding more to that pile would be an unfortunate burden on the security team. That's probably the most significant of the project wide costs adding a package like this brings with it. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105061129.34693.deb...@kitterman.com
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > Programming Lang: PHP > > Description : ocPortal is a Content Management System for building > > and maintaining a dynamic website > > How many content management systems written in php does Debian need? It's not kool that you didn't even ask about how good it is. Maybe it's better than whatever exists in Debian currently, have you checked? My point is your question isn't helpful. It smacks of flaming. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304695430.20397.10.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 11:00 -0300, Ben Armstrong wrote: > On 05/06/2011 10:49 AM, Tshepang Lekhonkhobe wrote: > > What's up with the hate? It's always convenient to have a package in > > Debian, instead of hunting for it upstream. If it rots in Debian, then > > it can easily be removed again (or left in Unstable). > > Wrong. Every additional package costs the whole Debian project in > numerous ways. That's why we have these discussions up front on all > ITPs, so objections can be voiced. Q: How many content management systems written in php does Debian need? A: How about zero? Not exactly helpful. That was before discussing if the guy filling the ITP mentioned his readiness to respond to any RC bugs. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304694881.20397.7.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > Programming Lang: PHP > > Description : ocPortal is a Content Management System for building > > and maintaining a dynamic website > > How many content management systems written in php does Debian need? > > Scott K About the same as the number of C window managers? ;) You have a valid point, so I've had a quick attempt to justify this. A quick package search for "cms" and "content management" in all suites gives 8 distinct, self-described CMS systems in Debian. 5 of these are written in PHP. For those which have entries, I've compared them on cmsmatrix.org and the most impressive entry is WebGUI, which is made in Perl. However, the (somewhat arbitrary) cmsmatrix feature count is still +4 in favour of ocPortal. Also, for those who are into it, ocPortal is under the Affero-style CPAL license, which is the reason I got involved in the project. Thanks, Chris Warburton -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304692143.20621.20.camel@linuxfedora
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On 05/06/2011 10:49 AM, Tshepang Lekhonkhobe wrote: > What's up with the hate? It's always convenient to have a package in > Debian, instead of hunting for it upstream. If it rots in Debian, then > it can easily be removed again (or left in Unstable). Wrong. Every additional package costs the whole Debian project in numerous ways. That's why we have these discussions up front on all ITPs, so objections can be voiced. Ben -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc3ff0c.3080...@debian.org
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 15:16 +0200, Josselin Mouette wrote: > Le vendredi 06 mai 2011 à 09:11 -0400, Scott Kitterman a écrit : > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > Programming Lang: PHP > > > Description : ocPortal is a Content Management System for building > > > and maintaining a dynamic website > > > > How many content management systems written in php does Debian need? > > How about zero? What's up with the hate? It's always convenient to have a package in Debian, instead of hunting for it upstream. If it rots in Debian, then it can easily be removed again (or left in Unstable). -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304689785.20397.1.camel@debian.tauspace.local
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Friday, May 06, 2011 09:21:08 AM Rens Houben wrote: > In other news for Fri, May 06, 2011 at 09:11:08AM -0400, Scott Kitterman has been seen typing: > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > Programming Lang: PHP > > > Description : ocPortal is a Content Management System for > > > building > > > > > > and maintaining a dynamic website > > > > How many content management systems written in php does Debian need? > > Dunno. How many text editors, window managers, roguelikes, programming > languages and smtp daemons does Debian need? When was the last time you saw a DSA for a text editor? (yes, I know they happen but they are relatively quite rare) Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105060940.27440.deb...@kitterman.com
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
In other news for Fri, May 06, 2011 at 09:11:08AM -0400, Scott Kitterman has been seen typing: > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > Programming Lang: PHP > > Description : ocPortal is a Content Management System for building > > and maintaining a dynamic website > > How many content management systems written in php does Debian need? Dunno. How many text editors, window managers, roguelikes, programming languages and smtp daemons does Debian need? > Scott K -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://proteus.systemec.nl/~shadur/shadur.key.asc -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506132108.ga32...@proteus.systemec.nl
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Le vendredi 06 mai 2011 à 09:11 -0400, Scott Kitterman a écrit : > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > Programming Lang: PHP > > Description : ocPortal is a Content Management System for building > > and maintaining a dynamic website > > How many content management systems written in php does Debian need? How about zero? -- Joss -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1304687818.3352.29.camel@pi0307572
Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > Programming Lang: PHP > Description : ocPortal is a Content Management System for building > and maintaining a dynamic website How many content management systems written in php does Debian need? Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105060911.09204.deb...@kitterman.com
Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Package: wnpp Severity: wishlist Owner: Chris Warburton * Package name: ocportal Version : 6.1.1 Upstream Author : Chris Graham * URL : http://www.ocportal.com * License : CPAL Programming Lang: PHP Description : ocPortal is a Content Management System for building and maintaining a dynamic website ocPortal is a Content Management System (CMS), which acts as the "engine" to run sophisticated, dynamic Web sites. ocPortal attempts to include as much functionality as possible "out of the box", with options to disable unwanted modules after installation. An emphasis is placed on ease of use, with built-in GUIs for all common requirements, whilst reprogramming is supported through a system of file overrides. ocPortal sites can host content of various types including news, member blogs, events, galleries (images, video, audio, Flash), file downloads and user-defined "catalogue" data. Many modules are included for dynamic features such as forums, chat rooms, Wikis, commenting, rating, awards, trackbacks, polls, quizzes, ecommerce (products sales and usergroup subscription) and a 'points' system for rewarding contributors. Content can be made available in multiple languages and will be automatically analysed for Search Engine Optimisation. Powerful administration tools are available, including banner networks, a comprehensive admin zone with check lists and reminders, email newsletters (including automatic "What's new?" issues), site statistics, hacking detection and alerts, backups, theming tools and a powerful commandline environment. ocPortal is written in PHP, XHTML and Javascript and conforms to Web and Accessibility standards. Custom languages are included for theming/templating (Tempcode) and markup (Comcode), the latter being inspired by the "BBCode" language found on many forums. ocPortal includes its own forum, called OCF, but can also integrate or import many third-party forums and CMSs. There is currently at least some support for: AEF, Burning Board, IPB, Joomla, MKPortal, MyBB, phpBB, phpNuke, SMF, static HTML, vB, Wordpress and WowBB. ocPortal requires PHP 4.2+ or HipHop, MySQL and a Web server such as Apache. ocPortal development is supported by ocProducts Ltd. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506125621.24012.17736.reportbug@linuxfedora
