Re: RFS: phpmyid
Hi Dne Thu, 28 Aug 2008 23:41:43 +0200 Andreas Schildbach [EMAIL PROTECTED] napsal(a): Hello Michal, On Thu, 2008-08-28 at 22:07 +0200, Michal Čihař wrote: - also license information in debian/copyright does not seem to be sufficient, you should be more detailed (or use new machine readable format, see http://wiki.debian.org/Proposals/CopyrightFormat) Thanks a lot for this pointer. I've completely rewritten the copyright file. One question though: Do I actually have to include the license text for popular licenses? (in this case: GPL-any) Why do you use some random older revision of proposal? I'm afraid I don't understand. I am using the proposal from the page you were referring. Other than the revision number from the example in the proposal, I have no idea which newer revisions could possibly exist. You should point Format-Specification to version of wiki page you based your copyright file on. I guess it is current one, so there should be http://wiki.debian.org/Proposals/CopyrightFormat?action=recallrev=226 Yes you should include something like: License-Terms: GPL-2 On Debian and Debian-based systems, a copy of the GNU General Public License version 2 is available in /usr/share/common-licenses/GPL-2. Ok, thanks. The problem is, there is no text for 'GPL-any'. I am inclined to write something to the effect of: On Debian and Debian-based systems, a copy of the GNU General Public Licenses are available in /usr/share/common-licenses. Would this be ok? I added this only as an example. There is also example for GPL-any on the wiki page, why to reinvent the wheel? Anyway to me it looks more like your package is GPL-2+. -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Re: RFS: phpmyid
OoO En ce début d'après-midi ensoleillé du jeudi 28 août 2008, vers 15:04, Andreas Schildbach [EMAIL PROTECTED] disait : In debian/control, your dependencies are too strict. I relaxed the dependencies. However, how can I know that my package actually works with all HTTP daemons? I cannot test them all. It is not really your matter. You provide a configuration file for the one or several HTTP daemon and let the user handle other cases. The point here is to not force the user install Apache while he wants to use another daemon to run this package. I think that you should not ship htaccess file (or as documentation). It is usually better to put all configuration in Apache configuration file. For example, by default, rewrite rules are not authorized in htaccess. You can put the content of htaccess in your apache2.conf file for example. What do you mean by rewrite rules are not authorized? Is it perhaps better to not deviate from upstream in this case (htaccess comes from upstream)? I could try to convince upstream to change this with the next version. The default configuration of Apache does not allow to put rewrite rules in .htaccess files. In post-lenny, nothing will be authorized by default in .htaccess. Therefore, a user modifying .htaccess will get a non working configuration unless it also modifies an AllowOverride clause. Upstream ships .htaccess because it allows user to just unpack the soft in some directory and make it work without modifying anything else (but as pointed above, this won't work on a default Debian system). Since you are packaging the software for Debian, you don't need to use .htaccess because you can alter Apache configuration (usually by dropping a file in /etc/apache2/conf.d). There is no mandatory document about this. You can look at the draft policy here: http://webapps-common.alioth.debian.org/draft/html/ch-httpd.html -- No fortunes found pgpjiiPLoX9Zd.pgp Description: PGP signature
Re: RFS: phpmyid
On Fri, 2008-08-29 at 10:35 +0200, Vincent Bernat wrote: The default configuration of Apache does not allow to put rewrite rules in .htaccess files. In post-lenny, nothing will be authorized by default in .htaccess. Therefore, a user modifying .htaccess will get a non working configuration unless it also modifies an AllowOverride clause. Ok thanks, I dropped the original .htaccess from the binary deb and added similar instructions to the Apache example configuration. As soon as I get word from upstream about the licensing I'll upload a fixed version. Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: phpmyid
Vincent Bernat wrote:
OoO En ce début d'après-midi ensoleillé du jeudi 28 août 2008, vers
15:04, Andreas Schildbach [EMAIL PROTECTED] disait :
In debian/control, your dependencies are too strict.
I relaxed the dependencies. However, how can I know that my package
actually works with all HTTP daemons? I cannot test them all.
It is not really your matter. You provide a configuration file for the
one or several HTTP daemon and let the user handle other cases. The
point here is to not force the user install Apache while he wants to use
another daemon to run this package.
Depends: apache2 | httpd, php5
This should actually be apache2 | httpd-cgi, php5; as a simple httpd like
dhttpd Provides: httpd but won't be of any use when the user wants to run
php5-cgi (which is the only web server non-apache SAPI of php being shipped
atm).
I think that you should not ship htaccess file (or as documentation).
It is usually better to put all configuration in Apache configuration
file. For example, by default, rewrite rules are not authorized in
htaccess. You can put the content of htaccess in your apache2.conf
file for example.
What do you mean by rewrite rules are not authorized? Is it perhaps
better to not deviate from upstream in this case (htaccess comes from
upstream)? I could try to convince upstream to change this with the next
version.
The default configuration of Apache does not allow to put rewrite rules
in .htaccess files. In post-lenny, nothing will be authorized by default
in .htaccess. Therefore, a user modifying .htaccess will get a non
working configuration unless it also modifies an AllowOverride clause.
Upstream ships .htaccess because it allows user to just unpack the soft
in some directory and make it work without modifying anything else (but
as pointed above, this won't work on a default Debian system). Since you
are packaging the software for Debian, you don't need to use .htaccess
because you can alter Apache configuration (usually by dropping a file
in /etc/apache2/conf.d).
The file is actually useless as it only provides a couple of examples on
what need to add when php5-cgi is used (it actually doesn't make any
sense that you need those).
There is no mandatory document about this. You can look at the draft
policy here:
http://webapps-common.alioth.debian.org/draft/html/ch-httpd.html
...
Besides that, taking a quick look at the code:
// if neither, offer the trust request
$q = strpos($profile['req_url'], '?') ? '' : '?';
wrong assumption, strpos returns false but might also return 0 which in that
case would be evaluated just like false.
Oh, and by looking at the code:
# 'allow_gmp' = false,
# 'allow_test'= false,
# 'allow_suhosin' = false,
Enabling allow_gmp requires the user to have the php5-gmp extension
installed, so it might be a good idea to Suggests (probably not Recommends
as it can fall back to use bcmath which is a built-in extension of the php5
packages) it.
I don't see any real reason for this:
$extension_b = array('suhosin');
foreach ($extension_b as $x) {
if (extension_loaded($x) ! $profile[allow_$x])
error_500(phpMyID is not compatible with '$x');
}
phpMyID is NOT compatible with Suhosin or other hardened PHP systems
(Debian
users take note).
*) Received error: phpMyID is not compatible with 'suhosin'
Suhosin is a security add-on for PHP which, amongst other things,
removes
PHP's ability to open and access multiple sessions at one time. Simply
put,
phpMyID is reliant upon this feature, and will therefore not work with
a
hardened PHP.
To make phpMyID work with Suhosin, you can try the following:
1) Set the profile key 'allow_suhosin' to true in your config file.
2) Set suhosin.session.encrypt Off in either your PHP/Suhosin config
file,
or as a php_flag in your httpd.conf (or .htaccess).
See: https://www.siege.org/forum/viewtopic.php?pid=3167
You should really clarify that.
Anyway, the code is prone to XSS attacks (I could actually be more specific
if you want me to, but better let upstream review all the code) on the html
it prints and the headers it sends. It even relies on HTTP_HOST and doesn't
perform any sanity check on it.
IMHO the code is not ready to be uploaded as there are security issues that
need to be addressed first and not after it is uploaded to Debian.
Cheers,
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: phpmyid
Hi Vincent, hello Michal, thanks for helping me with the package. I have uploaded a fixed package to mentors.debian.net. On Wed, 2008-08-27 at 19:02 +0200, Vincent Bernat wrote: In debian/changelog, remove the mention about this package being your first. Most users are not interested in thisinformation. I removed the line. Note that This is my first Debian package. is explicitely stated as an example in the New Maintainers' Guide at http://www.debian.org/doc/manuals/maint-guide/ch-dreq.en.html#s-changelog Maybe the document should be changed then? In debian/control, your dependencies are too strict. I relaxed the dependencies. However, how can I know that my package actually works with all HTTP daemons? I cannot test them all. I think that you should not ship htaccess file (or as documentation). It is usually better to put all configuration in Apache configuration file. For example, by default, rewrite rules are not authorized in htaccess. You can put the content of htaccess in your apache2.conf file for example. What do you mean by rewrite rules are not authorized? Is it perhaps better to not deviate from upstream in this case (htaccess comes from upstream)? I could try to convince upstream to change this with the next version. On Wed, 2008-08-27 at 18:45 +0200, Michal Čihař wrote: - also license information in debian/copyright does not seem to be sufficient, you should be more detailed (or use new machine readable format, see http://wiki.debian.org/Proposals/CopyrightFormat) Thanks a lot for this pointer. I've completely rewritten the copyright file. One question though: Do I actually have to include the license text for popular licenses? (in this case: GPL-any) Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: phpmyid
Hi Dne Thu, 28 Aug 2008 15:04:15 +0200 Andreas Schildbach [EMAIL PROTECTED] napsal(a): I have uploaded a fixed package to mentors.debian.net. - why have you kept configure-stamp target? also remove configure from .PHONY - what is reason for commented out dh_* command in debian/rules - also license information in debian/copyright does not seem to be sufficient, you should be more detailed (or use new machine readable format, see http://wiki.debian.org/Proposals/CopyrightFormat) Thanks a lot for this pointer. I've completely rewritten the copyright file. One question though: Do I actually have to include the license text for popular licenses? (in this case: GPL-any) Why do you use some random older revision of proposal? Yes you should include something like: License-Terms: GPL-2 On Debian and Debian-based systems, a copy of the GNU General Public License version 2 is available in /usr/share/common-licenses/GPL-2. If you would use lintian, you would find it: $ lintian -I phpmyid_0.9-1_i386.changes I: phpmyid source: package-lacks-versioned-build-depends-on-debhelper 7 E: phpmyid: copyright-should-refer-to-common-license-file-for-gpl (It shows also another problem in your package - mismatch between debian/compat and debhelper build dependency). -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Re: RFS: phpmyid
Hello Michal, On Thu, 2008-08-28 at 22:07 +0200, Michal Čihař wrote: - also license information in debian/copyright does not seem to be sufficient, you should be more detailed (or use new machine readable format, see http://wiki.debian.org/Proposals/CopyrightFormat) Thanks a lot for this pointer. I've completely rewritten the copyright file. One question though: Do I actually have to include the license text for popular licenses? (in this case: GPL-any) Why do you use some random older revision of proposal? I'm afraid I don't understand. I am using the proposal from the page you were referring. Other than the revision number from the example in the proposal, I have no idea which newer revisions could possibly exist. Yes you should include something like: License-Terms: GPL-2 On Debian and Debian-based systems, a copy of the GNU General Public License version 2 is available in /usr/share/common-licenses/GPL-2. Ok, thanks. The problem is, there is no text for 'GPL-any'. I am inclined to write something to the effect of: On Debian and Debian-based systems, a copy of the GNU General Public Licenses are available in /usr/share/common-licenses. Would this be ok? If you would use lintian, you would find it: Sorry, I overlooked the lintian error that was printed with the build process. I will have a closer look in the future. (I have locally fixed all your other concerns.) Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: phpmyid
El Thursday 28 August 2008 22:07:55 Michal Čihař escribió: Hi Dne Thu, 28 Aug 2008 15:04:15 +0200 Andreas Schildbach [EMAIL PROTECTED] napsal(a): I have uploaded a fixed package to mentors.debian.net. - why have you kept configure-stamp target? also remove configure from .PHONY - what is reason for commented out dh_* command in debian/rules - also license information in debian/copyright does not seem to be sufficient, you should be more detailed (or use new machine readable format, see http://wiki.debian.org/Proposals/CopyrightFormat) Thanks a lot for this pointer. I've completely rewritten the copyright file. One question though: Do I actually have to include the license text for popular licenses? (in this case: GPL-any) Why do you use some random older revision of proposal? Yes you should include something like: License-Terms: GPL-2 On Debian and Debian-based systems, a copy of the GNU General Public License version 2 is available in /usr/share/common-licenses/GPL-2. If you would use lintian, you would find it: $ lintian -I phpmyid_0.9-1_i386.changes I: phpmyid source: package-lacks-versioned-build-depends-on-debhelper 7 E: phpmyid: copyright-should-refer-to-common-license-file-for-gpl (It shows also another problem in your package - mismatch between debian/compat and debhelper build dependency). GPL-any means GPL-1 and so GPL-1 must be included complete and verbatim, since it is not installed by default in Debian systems. Unless you have explicit permission to use GPL version 1 _or any later version_ which menas you can use GPL-2. If you can do that, please do. I've encountered the same with wmaker-data :( Noel Torres er Envite signature.asc Description: This is a digitally signed message part.
Re: RFS: phpmyid
On Fri, 2008-08-29 at 00:03 +0200, Noel David Torres Taño wrote: Unless you have explicit permission to use GPL version 1 _or any later version_ which menas you can use GPL-2. If you can do that, please do. He is including a LICENSE file that says GPL v2 and includes a complete copy of the license text. But the sources say: @license http://www.gnu.org/licenses/gpl.html GNU Public License Can I state GPL-2 in this case? Btw. which is the recommended license for my Debian packaging? Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RFS: phpmyid
(re-posted, because my first post seems to have been swallowed by gmane) Dear mentors, I am looking for a sponsor for my package phpmyid. * Package name: phpmyid Version : 0.9-1 Upstream Author : CJ Niemira [EMAIL PROTECTED] * URL : http://siege.org/projects/phpMyID/ * License : GPL Section : net It builds these binary packages: phpmyid- standalone, single user, OpenID identity provider The package appears to be lintian clean. The upload would fix these bugs: 492325 The package can be found on mentors.debian.net: - URL: http://mentors.debian.net/debian/pool/main/p/phpmyid - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - dget http://mentors.debian.net/debian/pool/main/p/phpmyid/phpmyid_0.9-1.dsc I would be glad if someone uploaded this package for me. Kind regards Andreas Schildbach -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
