Re: Question about web applications
On 06/06/2009 08:27 PM, King InuYasha wrote: Dan, the developer of Enano CMS, which I am packaging, has said that if you guys and myself can identify all the places a 3rd party bundled library worthy of being separated is, he will add the APIs necessary to support linking out to 3rd party code in separate packages outside of Enano root. Excellent! With two exceptions: TinyMCE and jQuery. Since both are javascript libraries, they cannot have security updates. The claim that JavaScript libraries are immune to security flaws is untrue. Furthermore, they are also subject to the licensing problems that I mentioned as the second reason we do not bundle libraries in the Enano ticket. However, JavaScript libraries bundled with web frameworks is currently allowed until we work out how the JavaScript libraries should be packaged. I'm currently leaning towards using static linking as the model for JavaScript packaging but I don't know if it will pass muster or not. Basically, JavaScript, like other scripting languages, can be dynamically linked by referring to a URL for the JavaScript library in a web page. The original draft of the JavaScript Guidelines defined URLs where the libraries would reside on the server and therefore where they could be referenced from. (You can see that draft here: http://fedoraproject.org/wiki/PackagingDrafts/JavaScript ) However, JavaScript libraries are different from PHP, python, perl, etc, in that they are files that are installed on the server running Fedora but delivered and executed on a client via an http connection. Because of this, optimizations to make smaller files and more efficient use of http can have an impact on the perceived performance of the web application. So I'm working on a new draft that takes into account compiling a JavaScript file (Basically, combining multiple files together and compressing the result.) Since the optimal way to do this is to combine all the files that are needed for a page (or multiple pages of an application), the combined file is very likely to be specific to the application. This seems close to static linking functions from libraries together with some application code to make a program so the rules for keeping that sane within Fedora seem to make sense as a model for what to do here. Among other things this would mean: * We would link against the system installed version of the library, not the bundled copy. * The application could continue to use the same location for the library but the library would have to be copied to that location from the system version, not from any bundled version. * Packagers would be required to add themselves to the CC list of the JavaScript libraries they depend on so that they are made aware of new releases and can rebuild their packages to pick up the changes. If people like or dislike using static linking as the model, please send in your comments. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Thu, Jun 4, 2009 at 1:41 PM, David Nalleyda...@gnsa.us wrote: I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Any taker for nusoap? One of my packages (mantis) embeds a copy of it as well... -- Gianluca Sforna http://morefedora.blogspot.com http://www.linkedin.com/in/gianlucasforna -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Sat, Jun 6, 2009 at 12:54 PM, Gianluca Sforna gia...@gmail.com wrote: On Thu, Jun 4, 2009 at 1:41 PM, David Nalleyda...@gnsa.us wrote: I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Any taker for nusoap? One of my packages (mantis) embeds a copy of it as well... I also need it. Please, go ahead. I have already submitted getid3. pearxmlpc is in Fedora. Therefore, I will have three. Yet a lot to go ... drwxr-xr-x 2 root root 4096 2009-05-14 06:56 archive drwxr-xr-x 2 root root 4096 2009-05-14 06:56 captcha drwxr-xr-x 2 root root 4096 2009-05-14 06:56 emulator drwxr-xr-x 3 root root 4096 2009-05-14 06:56 flash drwxr-xr-x 3 root root 4096 2009-05-14 06:56 getid3 - drwxr-xr-x 2 root root 4096 2009-05-14 06:56 horde drwxr-xr-x 2 root root 4096 2009-05-14 06:56 httpq drwxr-xr-x 2 root root 4096 2009-05-14 06:56 infotools drwxr-xr-x 2 root root 4096 2009-05-14 06:56 kajax drwxr-xr-x 2 root root 4096 2009-05-14 06:56 localplay drwxr-xr-x 2 root root 4096 2009-05-14 06:56 mpd drwxr-xr-x 2 root root 4096 2009-05-14 06:56 nusoap - drwxr-xr-x 2 root root 4096 2009-05-14 06:56 pearxmlrpc drwxr-xr-x 2 root root 4096 2009-05-14 06:56 plugins drwxr-xr-x 2 root root 4096 2009-05-14 06:56 prototype drwxr-xr-x 2 root root 4096 2009-05-14 06:56 validatemail -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
David Nalley, Thu, 04 Jun 2009 07:00:25 -0400: Perhaps I am the least well suited to respond as I did some of the initial review. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Yes, it is PITA, but try to compare this with situation about Java packages and your problems will suddenly look trivial ;-). Yes, all dependencies needs to be separated into their own packages (*if possible* from their respective upstream sources) and your package should be just requiring them. Matěj -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Question about web applications
Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hackshttp://en.wikipedia.org/wiki/Spidering_Hackswhich tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy http://ampache.org/wiki/dev:philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On 06/04/2009 03:53 PM, Paulo Cavalcanti wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. Submit separate review requests for independent projects bundled within the source and add them as dependencies once they are approved. Does it make any sense to fiddle something that has always had security as a prime concern? Yes, security is precisely one of the concerns with bundling independent sources together since bug fixes and security vulnerabilities will exist hidden. Rahul -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti pro...@gmail.com wrote: On Thu, Jun 4, 2009 at 8:00 AM, David Nalley da...@gnsa.us wrote: On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. No, on the contrary. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Maybe we can list all of the packages we would like to have for web applications, and try to set a task force to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
David Nalley wrote: On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti pro...@gmail.com wrote: On Thu, Jun 4, 2009 at 8:00 AM, David Nalley da...@gnsa.us wrote: On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. No, on the contrary. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Maybe we can list all of the packages we would like to have for web applications, and try to set a task force to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Count me in. I maintain several PHP apps, and having gone through the nightmare of switching from bundled to system libraries, I wholeheartedly agree that using system libraries from the beginning is the best way to go. Using the system lib means that security fixes are done in one place for all apps, and we don't have to patch the apps, or wait for upstream to push an update with an updated bundled lib. I'll help review, etc. -- in your fear, speak only peace in your fear, seek only love -d. bowie -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla l...@jcomserv.net wrote: David Nalley wrote: On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti pro...@gmail.com wrote: On Thu, Jun 4, 2009 at 8:00 AM, David Nalley da...@gnsa.us wrote: On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. No, on the contrary. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Maybe we can list all of the packages we would like to have for web applications, and try to set a task force to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Count me in. I maintain several PHP apps, and having gone through the nightmare of switching from bundled to system libraries, I wholeheartedly agree that using system libraries from the beginning is the best way to go. Using the system lib means that security fixes are done in one place for all apps, and we don't have to patch the apps, or wait for upstream to push an update with an updated bundled lib. I'll help review, etc. Thank you Jon. I will start with getid3. It would be nice if we had a list of packages missing available elsewhere, so people, interested in helping, could choose what to pack. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
Paulo Cavalcanti wrote: On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla l...@jcomserv.net mailto:l...@jcomserv.net wrote: David Nalley wrote: On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti pro...@gmail.com mailto:pro...@gmail.com wrote: On Thu, Jun 4, 2009 at 8:00 AM, David Nalley da...@gnsa.us mailto:da...@gnsa.us wrote: On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com mailto:pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com mailto:fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. No, on the contrary. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Maybe we can list all of the packages we would like to have for web applications, and try to set a task force to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Count me in. I maintain several PHP apps, and having gone through the nightmare of switching from bundled to system libraries, I wholeheartedly agree that using system libraries from the beginning is the best way to go. Using the system lib means that security fixes are done in one place for all apps, and we don't have to patch the apps, or wait for upstream to push an update with an updated bundled lib. I'll help review, etc. Thank you Jon. I will start with getid3. It would be nice if we had a list of
Re: Question about web applications
On 06/04/2009 06:57 PM, Paulo Cavalcanti wrote: Thank you Jon. I will start with getid3. It would be nice if we had a list of packages missing available elsewhere, so people, interested in helping, could choose what to pack. http://fedoraproject.org/wiki/Package_maintainers_wishlist Rahul -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Question about web applications
On Thu, Jun 4, 2009 at 10:29 AM, Jon Ciesla l...@jcomserv.net wrote: Paulo Cavalcanti wrote: On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla l...@jcomserv.net wrote: David Nalley wrote: On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti pro...@gmail.com wrote: On Thu, Jun 4, 2009 at 8:00 AM, David Nalley da...@gnsa.us wrote: On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti pro...@gmail.com wrote: Hi, I submitted ampache (http://ampache.org/) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development. Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list Perhaps I am the least well suited to respond as I did some of the initial review. No, on the contrary. However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. Maybe we can list all of the packages we would like to have for web applications, and try to set a task force to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. Count me in. I maintain several PHP apps, and having gone through the nightmare of switching from bundled to system libraries, I wholeheartedly agree that using system libraries from the beginning is the best way to go. Using the system lib means that security fixes are done in one place for all apps, and we don't have to patch the apps, or wait for upstream to push an update with an updated bundled lib. I'll help review, etc. Thank you Jon. I will start with getid3. It would be nice if we had a list of packages missing available elsewhere, so people, interested in helping, could choose what to pack. -- Paulo Roma Cavalcanti LCG - UFRJ You mean like a subcategory of http://fedoraproject.org/wiki/PackageMaintainers/WishList ? Yes, a more specific entry, such as web applications? -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list