RFS: wordpress-openid [was: Re: No sponsor found for weeks, what to do now?]
Hi Raphael, On Wed, 2008-08-27 at 19:23 -0500, Raphael Geissert wrote: Andreas, please don't take these wrong but your packages really need a lot of changes and reading the documentation and looking at different packages and even reading the reviews posted for other packages could help you understand what needs to be changed in your packages. Once they are in a better shape they could then be polished. By the way, is there any PHP-related policy or best practice for PHP packaging, like there is for Java? I: wordpress-openid source: debian-watch-file-is-missing What if there is no site to watch on? The download link is http://downloads.wordpress.org/plugin/openid.2.2.2.zip but the containing folder http://downloads.wordpress.org/plugin/ does not allow directory listing. (I just noticed that there is a new upstream version. I will update my Debian package to reflect that.) X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/Log/error_log.php Looks like I have to create a dependancy to 'php-log' and remove the offending files from my package. Thanks for your hints. Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No sponsor found for weeks, what to do now?
[Please don't send me a copy of the message, thanks.] Kartik Mistry wrote: On Thu, Aug 28, 2008 at 5:53 AM, Raphael Geissert [EMAIL PROTECTED] wrote: (xlintian is an alias to the dev copy of lintian on my machine, which also happens to have a couple or more checks that should/will be added to lintian). Probably, people on mentors will love to use your xlintian :) Because it is an *x*lintian? or why? :) The official lintian vcs can be found at git.d.o, as well as my own lintian repository. But, as you can imagine, I try to get all my changes mainstream. Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: wordpress-openid [was: Re: No sponsor found for weeks, what to do now?]
Andreas Schildbach wrote: By the way, is there any PHP-related policy or best practice for PHP packaging, like there is for Java? Hi Andreas, There's a draft of the PHP Policy [0] which is kinda empty, also you may ask on the debian-webapps list [1]. Or read the PHP page on the Wiki [2] (though this is mainly focused on the php package and not web apps) Regards, Mauro [0] http://webapps-common.alioth.debian.org/draft-php/html/ [1] [EMAIL PROTECTED] [2] http://wiki.debian.org/PHP -- JID: [EMAIL PROTECTED] http://lusers.com.ar/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: wordpress-openid [was: Re: No sponsor found for weeks, what to do now?]
Andreas Schildbach wrote: Hi Raphael, On Wed, 2008-08-27 at 19:23 -0500, Raphael Geissert wrote: Andreas, please don't take these wrong but your packages really need a lot of changes and reading the documentation and looking at different packages and even reading the reviews posted for other packages could help you understand what needs to be changed in your packages. Once they are in a better shape they could then be polished. By the way, is there any PHP-related policy or best practice for PHP packaging, like there is for Java? Mauro Lizaur already commented on that, but currently the best practise is not documented and you should try to follow what other php packages do. I: wordpress-openid source: debian-watch-file-is-missing What if there is no site to watch on? The download link is http://downloads.wordpress.org/plugin/openid.2.2.2.zip but the containing folder http://downloads.wordpress.org/plugin/ does not allow directory listing. uscan doesn't only work on directory listings, it actually works on directory listings because they contain links to the files and that's all it needs. (Working) example for that package: version=3 http://wordpress.org/extend/plugins/openid/download/ \ http://downloads.wordpress.org/plugin/openid.(.+)\.zip (I just noticed that there is a new upstream version. I will update my Debian package to reflect that.) X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/Log/error_log.php Looks like I have to create a dependancy to 'php-log' and remove the offending files from my package. I hope that by 'remove' you mean not install them on the .deb package. Thanks for your hints. Best regards, Andreas Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No sponsor found for weeks, what to do now?
On Wed, 2008-08-27 at 19:30 +0200, Thijs Kinkhorst wrote: On Wednesday 27 August 2008 19:02, Neil Williams wrote: 3. You're asking for sponsorship of PHP packages which are a security nightmare (esp. wordpress that had a huge flamewar around the time of the Etch release due to security issues). Many sponsors are justifiably wary of PHP packages after seeing many others being flamed to a crisp by the security team and ftp-master team. Personally, I won't touch PHP packages ever again - I'm reconsidering my own PHP in favour of perl and if I could do without php on my own servers, I would. Although there are PHP applications that are a security nightmare, there are well-written applications just as well. This goes for any programming language. OK, PHP has more than a fair share but, yes, there are some good PHP applications. However, the reputation of PHP is enough to hinder sponsorship of new PHP packages, IMHO. New PHP packages, in my experience, are extremely unlikely to be of sufficient quality to compare with the few good PHP packages that exist in Debian. Even good PHP applications have more security implications than a good C package, IMHO. I've heard of Ruby-on-rails being discussed in the same worried tones as PHP but I don't know Ruby. I know PHP, I write PHP, I could sponsor PHP but I won't because the security implications of PHP would keep me awake at night. As I said, I have enough worries about what little PHP I use myself. Plus, I've surely not seen anyone being flamed [...] by the security team, let alone to crisp, (Some of that happened off-list and one of the people involved is well-known to me due to interests outside Debian. I can vouch that some of the off-list stuff was easily described as 'flaming to a crisp'.) let even further alone those many people you're talking about, and find the suggestion that we would act in such a way a bit offensive. Mentors might not, others certainly have done. It doesn't serve the list to pretend that security and PHP are not poor bedfellows or that PHP will not invite some very firm, very pointed and extremely critical responses outside this list. Please, this mailinglist is intended as a friendly place to get help and sponsorship on your packages. It would be helpful to write in a more balanced tone than you used in this email. There is a difference being friendly and being firm. There are clear problems that, IMHO, sufficiently explain the reasons for not looking at any PHP packages at this time. I don't care if I do dismiss PHP without review - I think that requests to sponsor PHP deserve to be dismissed unseen at this time, for the reasons I have already explained. I strongly recommend any maintainer on this list and waiting for a sponsor, to look exclusively at existing packages rather than new and specifically at packages that have RC bugs at the expense of anything else. Right now, NEW packages simply do not matter. IMHO, until Lenny is released, NEW == waste of time and a new PHP package is even worse, let alone TWO. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ signature.asc Description: This is a digitally signed message part
Re: No sponsor found for weeks, what to do now?
On Wednesday 27 August 2008 20:23, Neil Williams wrote: Plus, I've surely not seen anyone being flamed [...] by the security team, let alone to crisp, (Some of that happened off-list and one of the people involved is well-known to me due to interests outside Debian. I can vouch that some of the off-list stuff was easily described as 'flaming to a crisp'.) let even further alone those many people you're talking about, and find the suggestion that we would act in such a way a bit offensive. Mentors might not, others certainly have done. It doesn't serve the list to pretend that security and PHP are not poor bedfellows or that PHP will not invite some very firm, very pointed and extremely critical responses outside this list. Whatever you personally think of PHP, I'm not charmed with you making allegations on a public forum that many people were flamed to crisp by the team I am a member of, but then fail to support that statement when asked where you base it on. If you want to make statements that put a team in a bad light in a public forum you'll have to be prepared to back them up. It seems to boil down to trust me, I once heard somewhere that a person was flamed by a security team member. I think it's evident that I'm not charmed by you postulating that many people were flamed by that team, suggesting structural issues, without presenting a piece of material on that. I believe that only helps to set a negative atmosphere around that team. Thijs pgpLQDFGm0UsX.pgp Description: PGP signature
Re: No sponsor found for weeks, what to do now?
On Wed, 2008-08-27 at 20:50 +0200, Thijs Kinkhorst wrote: Whatever you personally think of PHP, I'm not charmed with you making allegations on a public forum that many people were flamed to crisp by the team I am a member of, but then fail to support that statement when asked where you base it on. If you want to make statements that put a team in a bad light in a public forum you'll have to be prepared to back them up. It wasn't meant to put any team in a bad light - it was meant to indicate that PHP is not without security problems and that ignoring previous problems will not bring favour with the security team. 'flame' had an unintended connotation for the team concerned. I apologise for that. :-) It seems to boil down to trust me, I once heard somewhere that a person was flamed by a security team member. Actually, it was more that someone I know got a robust (but, IMHO, accurate) response from the security team which was not to their liking. i.e. other direction. The responses that resulted were not necessarily from any particular team (or without due cause). Here is not the place to go into details. I think it's evident that I'm not charmed by you postulating that many people were flamed by that team, suggesting structural issues, without presenting a piece of material on that. I believe that only helps to set a negative atmosphere around that team. That was not my intention - indeed, nothing was intended to reflect on the team itself, merely on the choice of language involved. In many ways, the responses of the security team were fully deserved and intended as a warning to maintainers of PHP code that insecure PHP code will get a robust response that might not be particularly friendly. ;-) Sorry. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ signature.asc Description: This is a digitally signed message part
Re: No sponsor found for weeks, what to do now?
Vincent Bernat wrote: OoO Lors de la soirée naissante du mercredi 27 août 2008, vers 18:24, Andreas Schildbach [EMAIL PROTECTED] disait : phpmyid - standalone, single user, OpenID identity provider http://mentors.debian.net/debian/pool/main/p/phpmyid You can try to ask for sponsorship in Debian PHP team. However, this team is essentially dedicated to maintaining PHP. Therefore, I am not sure that you will get an answer for this one. I not being a DD have reviewed several php packages on -mentors hoping to increase a little bit the quality of php packages around but these have so many 'issues' that I haven't had enough time to write something appropriate. Andreas, please don't take these wrong but your packages really need a lot of changes and reading the documentation and looking at different packages and even reading the reviews posted for other packages could help you understand what needs to be changed in your packages. Once they are in a better shape they could then be polished. Oh, and of course, here I'm just talking about the Debian packaging, but the code often needs a review to attempt to prevent security problems right from the start. wordpress-openid - OpenID consumer plugin for WordPress http://mentors.debian.net/debian/pool/main/w/wordpress-openid Wordpress maintainer may be interested to help you in sponsoring this package. Unfortunately, Wordpress maintainer is not a DD... (xlintian is an alias to the dev copy of lintian on my machine, which also happens to have a couple or more checks that should/will be added to lintian). $ xlintian -I -E *.dsc I: wordpress-openid source: debian-watch-file-is-missing I: wordpress-openid source: package-lacks-versioned-build-depends-on-debhelper 7 I: phpmyid source: package-lacks-versioned-build-depends-on-debhelper 7 $ xlintian -I -E *.changes X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/Log/error_log.php X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/Log/file.php X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/Log/null.php X: wordpress-openid: embedded-pear-module usr/share/wordpress/wp-content/plugins/openid/OpenIDLog.php W: wordpress-openid: copyright-lists-upstream-authors-with-dh_make-boilerplate E: phpmyid: copyright-should-refer-to-common-license-file-for-gpl Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No sponsor found for weeks, what to do now?
On Thu, Aug 28, 2008 at 5:53 AM, Raphael Geissert [EMAIL PROTECTED] wrote: (xlintian is an alias to the dev copy of lintian on my machine, which also happens to have a couple or more checks that should/will be added to lintian). Probably, people on mentors will love to use your xlintian :) -- Cheers, Kartik Mistry | 0xD1028C8D | IRC: kart_ Homepage: people.debian.org/~kartik Blogs: {ftbfs,kartikm}.wordpress.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]