On Thu, Apr 01, 2010 at 03:18:01PM +1100, John Zaitseff wrote:
> Tags: patch
>
> Dear David et al.,
>
> Thank you for packaging ViewVC!
>
> Rather a long time ago, I asked that viewvc 1.1.x be packaged. At
> that time, I promised I would have a go at it myself, since I
> realised that the 1.1.x series represented some major changes.
> Unfortunately, I've been rather busy... until now, that is.
>
> I have finally created a completely-overhauled viewvc 1.1.x package,
> based on your work and on Ender's patch. Could you please package
> the latest ViewVC, 1.1.5, using this patch (attached to this
> e-mail)? You can get the full debian directory by running:
>
> svn co
> http://svn.zap.org.au/svn/debian-packages/debian-updates/viewvc/tags/1.1.5-0.1zg4/debian
>
> You can download the full source to the packages, if you wish, from:
>
>
> ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.dsc
>
> ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5-0.1zg4.diff.gz
>
> ftp://ftp.zap.org.au/pub/debian/dists/zapgroup-sid/main/source/viewvc_1.1.5.orig.tar.gz
>
> Alternatively, you can use the following lines in /etc/apt/sources.list:
>
> deb ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main
> deb-src ftp://ftp.zap.org.au/pub/ubuntu zapgroup-sid main
>
> You can replace "zapgroup-sid" with "zapgroup-lenny" or
> "zapgroup-karmic" as appropriate.
>
> I am successfully running this version on my own Debian Lenny-based
> server, accessible at http://www.zap.org.au/viewvc/.
>
>
> Highlights of my changes:
>
> * ViewVC 1.1.5 closes some important cross-site scripting problems
> (Closes: #532611, #575777, #575787). This solves CVE-2010-0004,
> CVE-2010-0005 and CVE-2010-0736.
>
> * Updated all dependencies, based on what is required for ViewVC
> 1.1.5. In particular: the XS-Python-Version field is set to "all"
> (Closes: #570573); depend on apache2 | httpd-cgi, not apache |
> httpd (we need a CGI server); python-egenix-mxdatetime and
> enscript are no longer required/suggested (python-pygments is
> recommended instead of enscript).
>
> * Packaged the Apache mod-python modules for optional use (in
> /usr/lib/viewvc/mod-python) and added instructions in
> README.Debian on how to access it.
>
> * Wrote a manual page for /usr/bin/viewvc-standalone.
>
> * Rewrote the README.Debian, NEWS and TODO files as appropriate.
>
> * Moved to Debian policy 3.8.4 and Debhelper 7. Dealt with as many
> Lintian warnings as possible. Converted all files to UTF-8 as
> appropriate.
>
> * Refreshed all files in debian/patches: most no longer apply,
> although support for robots.txt (01-robots-support), changes to
> viewvc-install (90-viewvc-install-debian-paths) and to
> viewvc.conf.dist (91-viewvc-conf-debian-custom) still do. Tweaked
> some file modes as used by viewvc-install. All patch files now
> use -p1, making the future move to source version 3.0 (quilt) much
> easier.
>
> * The file /etc/viewvc/viewvc.conf is a conffile: maintainer scripts
> must NOT modify it (as previous versions of the ViewVC package
> do!). For this version, I've removed all Debconf scripts, since I
> don't particularly like my configuration files modified! A better
> solution would be to use something like ucf(1)...
>
>
> I'm hoping you will be able to take my changes more or less en-mass
> and release an official ViewVC package quickly. I look forward to
> hearing from you!
The Security Team contacted David three weeks ago about the viewvc
maintenance status and didn't receive a reply.
David, please consider handing maintenance over to John or move
viewvc to group maintenance.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
