El jueves, 1 de abril de 2010, John Zaitseff escribió: > Dear David et al., > > Thank you for packaging ViewVC! > > Rather a long time ago, I asked that viewvc 1.1.x be packaged. At > that time, I promised I would have a go at it myself, since I > realised that the 1.1.x series represented some major changes. > Unfortunately, I've been rather busy... until now, that is.
Hello, John. I haven't got enough words to give you thanks for your
work.
I'm currently reviewing your changes and I'd like to merge them into
the
current structure. I understand that you forked the tree long time ago, and
I'd like to reconcile both trees. Said that, I'd like to trim down all the
internal releases you did in ZAP Group and merge them into a big changelog for
1.1.5-1 (entirely devoted to you, by the way :-). Given that I have the
highest respect for you, do you mind if I do that?
> I have finally created a completely-overhauled viewvc 1.1.x package,
> based on your work and on Ender's patch. Could you please package
> the latest ViewVC, 1.1.5, using this patch (attached to this
> e-mail)? You can get the full debian directory by running:
[...]
> Highlights of my changes:
>
> * ViewVC 1.1.5 closes some important cross-site scripting problems
> (Closes: #532611, #575777, #575787). This solves CVE-2010-0004,
> CVE-2010-0005 and CVE-2010-0736.
Of course, this is the most critical part.
> * Updated all dependencies, based on what is required for ViewVC
> 1.1.5. In particular: the XS-Python-Version field is set to "all"
> (Closes: #570573); depend on apache2 | httpd-cgi, not apache |
> httpd (we need a CGI server); python-egenix-mxdatetime and
> enscript are no longer required/suggested (python-pygments is
> recommended instead of enscript).
Agreed.
> * Packaged the Apache mod-python modules for optional use (in
> /usr/lib/viewvc/mod-python) and added instructions in
> README.Debian on how to access it.
Great!
> * Wrote a manual page for /usr/bin/viewvc-standalone.
>
> * Rewrote the README.Debian, NEWS and TODO files as appropriate.
>
> * Moved to Debian policy 3.8.4 and Debhelper 7. Dealt with as many
> Lintian warnings as possible. Converted all files to UTF-8 as
> appropriate.
>
> * Refreshed all files in debian/patches: most no longer apply,
> although support for robots.txt (01-robots-support), changes to
> viewvc-install (90-viewvc-install-debian-paths) and to
> viewvc.conf.dist (91-viewvc-conf-debian-custom) still do. Tweaked
> some file modes as used by viewvc-install. All patch files now
> use -p1, making the future move to source version 3.0 (quilt) much
> easier.
Perfect. I'll need to review again viewvc-install, as it's been the
source
of many nightmares months ago.
> * The file /etc/viewvc/viewvc.conf is a conffile: maintainer scripts
> must NOT modify it (as previous versions of the ViewVC package
> do!). For this version, I've removed all Debconf scripts, since I
> don't particularly like my configuration files modified! A better
> solution would be to use something like ucf(1)...
Completely agree. The configuration scripts are a complete nightmare
as
well, so probably using ucf would be the sanest option.
Best regards,
Ender.
--
Network engineer - System administrator
Debian Developer
signature.asc
Description: This is a digitally signed message part.
