Hey Neil, On Dec 26, 2007 5:55 PM, Neil Williams <[EMAIL PROTECTED]> wrote:
> > i.e. the problem lies within the package itself because it is an > intrinsically difficult package to build properly and you would be best > advised finding something else when you are only just starting out as > maintainer. PHP is a nightmare for security problems and packaging > problems. What I say to you is what I would say to anyone reading the NM > guide for the first time - *don't start with PHP*! (Don't start with a > compiled library either, they are complex in entirely different ways.) > The NM guide does mention that libraries are not a wise choice for your > first package but as it happened, I didn't get the chance of my own > advice because when I started NM, I was already upstream for a library > in Debian that needed an update. ;-) So learn from my mistakes and don't > do things the hard way. > > Uhm, it seems to me that the daloradius package is actually as easy as it can be. It's just a bunch of .php and other related web application scripts which should simply be copied to /usr/share. There's no compilation, no updating of libraries and nothing that would seem to be complicated... Maybe I'm missing something but as I see it, the "package" should simply unpack the web application files into a directory and that's it. Please correct me if I'm wrong. > Maybe it was my mistake to submit the new package (0.9.5) and also go > > all over again about creating a package while I already started > > working on it > > in previous versions (0.9.3 and 0.9.4) - so for that I am sorry, it > > seemed to > > have fired up an un-called for argument about the package building. > > I'd take that as a hint that you ought to consider learning how things > work using a different package as your starting point. > > I'm not going to advise you on daloradius for a couple of reasons: > 1. I don't generally sponsor PHP anyway (I will but only if the > maintainer convinces me that s/he has a firm grasp of the issues > involved, which you have not done.) Again, I'm either missing something or there's a misunderstanding of what daloradius is. What kind of php security issues are there? 2. I don't think daloradius is the right package for you to maintain > right now and therefore cannot be the right package for me to sponsor. > Come back to it once you have learnt a lot more about Debian by > packaging at least one different package that is not written in PHP. > > As far as PHP does, convenience (of programming) is very definitely the > enemy of security. (Yes, I do write PHP, I do know at least some of the > problems inherent in that language. No, I would not dare inflict my PHP > on Debian as a package, I stick to the few web servers to which I have > root access so that I can step in and rescue it when things go wrong.) So the reason to reject a project is because of it's programming nature that may be very much exploit-able and unsafe? Leave daloradius behind - forget it completely. Move on to a different, > preferably compiled, package and restart with the NM guide. Don't even > revisit daloradius packaging until you have had at least one non-PHP > package successfully sponsored and bug free in Debian testing. I can't leave it alone Neil, it's my baby :-) Regards, Liran.
