"Thomas Dukleth" <[EMAIL PROTECTED]> wrote: [...] > As I was preparing some proposed fixes, Joshua Ferraro informed me that > there are various pending fixes from a few people. Some of the pending > fixes will not be pushed up to the Koha git repository because they > conflict with other more complete fixes. [...]
That seems like the wrong solution to me. If people aren't creating and pushing unannounced fixes to the main repo fast enough, the conflicts are their lookout IMO. For example, I didn't know Galen Charlton was also working on the PL_FILES problems until your email. A few comments on the other aspects: > [...] Vincent Danjean has some supplementary Debian packages at > http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html and MJ > Ray has some at http://serene.ttllp.co.uk/~mjr/ . At some point, these > should be placed in repository for apt to use. They will be placed in the main repositories. Vincent Danjean has pushed some packages to pkg-perl just this weekend. > 2.1. PROBLEMS PREVENTING SUCCESSFUL MAKE. > > File globbing which captures directories builds a makefile which aborts > with the following error when running make. > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > ERROR: Cannot copy 'installer/data/mysql/fr/mandatory' to > '/usr/local/lib/cgi-bin/koha/installer/data/mysql/fr/mandatory': Is a > directory > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > at -e line 1 > make: *** [pm_to_blib] Error 21 > > Changing general file globbing from * to *.* for using the '.' in > filenames can fix that problem. However, that solution is not robust if > files are not in *.* form and at least needs a specific correction for > .htaccess as the only file which does not match the pattern. A better fix might be to check that glob returns are files with -f or at least ! -d. > 2.3. INSTALLATION FILE OWNERSHIP. > > The webserver user should be read and ownership of the necessary files > should be changed to the webserver user when running make install. Why? That seems like a serious security risk, leaving the web application able to change the file-based configuration if exploited. I think that is one thing which should be left to defaults, with the sysadmin tightening things if needed. > 2.4.2. KOHA-HTTPD.CONF. > > Using the ScriptAlias directives is considered a security vulnerability. By whom? It's not mentioned in http://httpd.apache.org/docs/2.2/howto/cgi.html - in fact, it seems to suggest the reverse. > Alias directives, rewrite rules or some other more secure method should be > substituted for ScriptAlias directives. Rewrite rules would add extra requirements for Koha hosting. Not sure whether that's a problem or not. Hope that helps, -- MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 - Webmaster-developer, statistician, sysadmin, online shop builder, consumer and workers co-operative member http://www.ttllp.co.uk/ - Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/ _______________________________________________ Koha-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/koha-devel
