On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <[email protected]> wrote:
> David Nalley wrote: > >> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <[email protected]> >> wrote: >> >> >>> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <[email protected]> wrote: >>> >>> >>>> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <[email protected]> >>>> wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> I submitted ampache (http://ampache.org/) for review, but I was told >>>>> that it >>>>> could not use any external software >>>>> bundled in the code. In fact, it uses getid3, a file that seems to come >>>>> from >>>>> horde (horde/Browser.php), >>>>> and some others. >>>>> >>>>> According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) >>>>> >>>>> "Ampache has been featured in numerous online blogs and technical >>>>> articles. >>>>> One of the more notable was the O'Reilly book Spidering Hacks which >>>>> tested >>>>> the security of online applications. Ampache was found to be immune to >>>>> standard spidering hacks as described in the O'Reilly article, and it >>>>> has >>>>> continued that trend by focusing on security during its development. >>>>> The >>>>> Code Philosophy listed on Ampache's wiki specifically lists security as >>>>> one >>>>> of those most important considerations during application development." >>>>> >>>>> Does it make any sense to fiddle something that has always had security >>>>> as a >>>>> prime concern? >>>>> >>>>> Any comment is welcome. >>>>> >>>>> Thanks. >>>>> >>>>> -- >>>>> Paulo Roma Cavalcanti >>>>> LCG - UFRJ >>>>> >>>>> -- >>>>> fedora-devel-list mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/fedora-devel-list >>>>> >>>>> >>>>> >>>> Perhaps I am the least well suited to respond as I did some of the >>>> initial review. >>>> >>>> >>> No, on the contrary. >>> >>> >>> >>>> However, there are at least 10 bundled libraries with ampache, >>>> including pear-XML_RPC, nusoap, getid3, small snippets from Horde, >>>> captchaphp, php-Snoopy, etc. >>>> >>>> In addition to the security benefits, creating the separate package >>>> means other packages (even other web apps) can make use of the >>>> libraries that would be available in Fedora instead of just ampache. >>>> I can empathize with the extra work that this causes, as I am trying >>>> to fix a few of these problems with another web app. >>>> >>>> >>>> >>> Maybe we can list all of the packages we would like to have for web >>> applications, and try to set a "task force" to cope with them? >>> >>> I think if we had three or four people willing to help, the work would be >>> concluded fast. There are always people looking forward to contributing, >>> but without a good package to work with. >>> >>> >>> >> >> >> I think that's an outstanding idea, and I'd be willing to work towards >> such an end, and perhaps since there is such a prevalence of php we >> can get some buy-in from the php-sig as well. To illustrate some of >> the usefulness - I have a web app I am working on now that uses >> php-Snoopy as ampache also does, so that's at least two applications >> that can make use of the package. >> >> >> > Count me in. I maintain several PHP apps, and having gone through the > nightmare of switching from bundled to system libraries, I wholeheartedly > agree that using system libraries from the beginning is the best way to go. > Using the system lib means that security fixes are done in one place for > all apps, and we don't have to patch the apps, or wait for upstream to push > an update with an updated bundled lib. > > I'll help review, etc. > > Thank you Jon. I will start with getid3. It would be nice if we had a list of packages missing available elsewhere, so people, interested in helping, could choose what to pack. -- Paulo Roma Cavalcanti LCG - UFRJ
-- fedora-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-devel-list
