Bug#471801: Bug#526878: Bug#504283: Bug#471801: egroupware adoption or removal?

2009-08-22 Thread Ralf Becker 
Hi Jan,

Jan Wagner schrieb:
 Hi Ralf,
 
 one of the main problem for packaging egroupware (not exclusive relevant for 
 debian) is the huge amount of embedded code copies[1] (search for 
 'egroupware'). This was the reason to not include egroupware into sarge and 
 is 
 the actual reason for removing from testing. If there pops up a security 
 problem for any embedded code copy, the (egroupware) package needs fixed in 
 any way. The ideal solution would be to get rid of the embeddde code copies 
 in 
 the egroupware debian package and use the debian package of the embedded code 
 copy. For example with phpmailer, just the phpmailer package needs to be 
 fixed 
 and egroupware is not vuln anymore.
 The actual problem is, to fix the problem in the egroupware package too, 
 which 
 is a big security mess.

Unfortunately the problem is more complex. Here are a few reasons why
code it embed into EGroupware instead of using external libraries:

- upstream did not accepted patches necessary for bugfixes or
enhancements (eg. CalDAV support via HTTP_WebDAV_Server)
- missing time and resources to communicate and negotiate with upstream
to accept required modifications
- not creating more dependencies for inexperienced users mostly using
zip archives under windows (I know that matters not for Debian, but it's
important for our user base). So far we only have dependencies in either
PHP extensions or PEAR packages (for the EGroupware core).
- sharing authentication and sessions with other external applications,
can usually not be archived with just a parallel installation. Even if
the software is untouched (as for example Gallery2) we need to provide
configuration files (fetching their data from EGroupware) within their
code trees
- other stuff like eg. FCKeditor requires to create and/or configure a
serverside backend

I know most of the above can be solved, if we look only on Debian and
EGroupware developers had more resources to spend in that area.

Looking at the exploits of the last years - the majority was caused by
embed code - most were fixed within days of coming to my knowledge. That
process of cause only starts, after the upstream projects published.

 So if you could take this code copy issue into account, the conditions for 
 egroupware in debian would benefit a lot.
 
 Thanks and with kind regards, Jan.
 [1] 
 http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file

This list is not up to date. It lists all problems as unfixed, which is
not the case: the exploits in these embedded packages are either:
- fixed in the most current EGroupware packages or
- can not be executed in EGroupware (eg. we use only SMTP in phpMailer)

Independent of how EGroupware is maintained in Debian in future, I'm
happy to work closer together with Debian Security Team, to get earlier
information about exploits in embedded code and coordinate security fixes.

If I'm going to maintain EGroupware in Debian, everyone can expect
same-time releases of Debian packages (to experimental), as the other
rpm packages or archives of EGroupware.

I will of cause very like try to handle at least the Linux packages of
EGroupware as close as possible together - thought in the past mostly
rpm packages benefit from the already nice Debian packages.

I made now many fixes and enhancements to our commercial Debian
packages, which I plan to integrate (or report back) to Debian.

Anyway most important for me is that EGroupware stays in Debian.
I'm happy if we (EGroupware project) have a competent and timely
available Debian maintainer, as we had in the past with Peter.

Ralf
-- 
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: r...@stylite.de

www.stylite.de
www.egroupware.org


Geschäftsführer Andre Keller, Gudrun Müller,
Nigel Vickers und Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951



--
To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#471801: Bug#504283: Bug#471801: egroupware adoption or removal?

2009-08-20 Thread Ralf Becker 
Hi all,

I'm one of the admins and the main developer of EGroupware project.

Naturally I'm very interested that EGroupware stays in Debian.

I'm building the projects own rpm packages and since a while also Debian
packages for a professional EGroupware line of my company.

I'm willing to maintain the Debian packages - thought I have no idea
what the non-technical requirements on a Debian maintainer are.

Kind regards

Ralf

Martin Meredith schrieb:
 On Thu, Aug 20, 2009 at 12:11:29PM +0200, Jan Wagner wrote:
 Hi Martin,

 On Wednesday 29 July 2009 10:39:48 Martin Meredith wrote:
 On Wed, Jul 29, 2009 at 09:02:18AM +0200, Thomas Viehmann wrote:
 Hi everyone (formerly) interested in egroupware,

 egroupware seems to be in need for attention

   #526878
  [egroupware-wiki] egroupware-core sets open_basedir which
  disables hook_config_validate.inc.php (egroupware-wiki) sanity
  check
   Date: Mon, 4 May 2009 08:15:01 UTC

   #504283
  CVE-2007-3215: phpmailer issue (embedded code-copy)
   Date: Sun, 2 Nov 2008 12:33:01 UTC

 It would seem that egroupware should either be adopted and fixed for
 squeeze or removed. Shipping it as an orphaned package sounds like a bad
 idea.

 Kind regards

 T.
 I've suggested that I adopt this, however, the current maintainer seems to
 want to stay as maintainer, and just do everything through accessible by
 anyone svn. I'm not too sure exactly what he wants to do with this.
 egroupware was removed from testing and Peter orphaned the package. Are you 
 willing to adopt the package?

 With kind regards, Jan.
 
 Potentially, but I need to look it over, and I don't have a key in the keyring
 atm.
 
 
 

-- 
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: r...@stylite.de

www.stylite.de
www.egroupware.org


Geschäftsführer Andre Keller, Gudrun Müller,
Nigel Vickers und Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951



--
To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#497123: RFP: libjs-calendar -- DHTML calendar widget

2008-08-30 Thread Ralf Becker 

eGroupware uses and relies on a modified version of jscalendar.

Unfortunatly these modifications where never accepted by the jscalendar 
author :-(


Therefore - beside the policy - I think this bug should be closed for 
eGroupware.


Ralf
eGroupware Administrator

Raphael Geissert schrieb:

Package: wnpp
Severity: wishlist

Homepage: http://sourceforge.net/projects/jscalendar
Language: javascript
Licence: LGPL

There are several packages in the archive shipping a copy of jscalendar, 
but according to Policy 4.13 they shouldn't.


Cheers,


--
Ralf Becker
eGroupWare Training  Support == http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]