Hi Richard, > I'd like people to understand that we are not still considering the > question. It is a final decision to switch to Gforge.
Final decision ? Why not considering of giving some time to check if GForge is really the thing that can replace Savane ? and, what specific reasons can you give to us ? is it more secure ? is it more efficient ? is it providing things that Savane doesn't have ? in this case , why not consider to propose them in savane-dev list at !Gna ? > I will give a brief explanation. We cannot continue using the > Savannah software because we have no one to maintain it properly. > GForge is maintained seriously. Therefore we will switch to GForge. AFAIK Mathiu Roy is currently a really good maintainer of the project , and , what about the other developers ? 9 people is "no one" ? There is a thing i don't understand , i've seen in some lists that a possible reason is that " Savane is not secure enough" but this is not true , Savane is like other software , it has bugs/holes that are discovered by accident or by a source audit. The first only happens when the system is compromised , the second occurs when developers think that it is not secure at all. I've contacted the people of the project due to a source audit i made in Savane , the response was perfect and the things went quickly , now Savane is a really good software except one thing: it uses old unsecure features of PHP , this problem will be solved when the NRG branch ( that solves this problem ) gets merged with the trunk. In the case of security , i want to talk about GForge ( i've get the source and i am looking at it ): As example of the same problem ( register_globals use ) , GForge shares the same with Saven, just look at /www/sendmessage.php line 16. Variables are not set by method , are registered as globals. I found some funny "holes" in the code , that are affected by the above reason: Look at source.php , line 16-17: bad use of $sys_show_source implies that ANYBODY can see the source of anyfile and bypass the protection by setting boolean value of that variable, example: http://gforge.org/source.php?file=source.php denied , so , use http://gforge.org/source.php?sys_show_source=true&file=source.php , now you can see sources with "permission". i will check later the rest of the code. false sense of security is more dangerous that a real security problem. > I don't have time to discuss this further. I am in the hospital and > falling behind on my other work. Ok , i wanted to tell my opinion , sinceriously, Best regards.
