<div class="gmail_quote">On Thu, Jun 4, 2009 at 10:29 AM, Jon Ciesla <<a href="mailto:limb@jcomserv.net">limb@jcomserv.net</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div bgcolor="#ffffff" text="#000000"><div><div></div><div class="h5"> Paulo Cavalcanti wrote: <blockquote type="cite"> <div class="gmail_quote">On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <<a href="mailto:limb@jcomserv.net" target="_blank">limb@jcomserv.net</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div> <div>David Nalley wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <<a href="mailto:promac@gmail.com" target="_blank">promac@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <<a href="mailto:david@gnsa.us" target="_blank">david@gnsa.us</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <<a href="mailto:promac@gmail.com" target="_blank">promac@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi, I submitted ampache (<a href="http://ampache.org/" target="_blank">http://ampache.org/</a>) for review, but I was told that it could not use any external software bundled in the code. In fact, it uses getid3, a file that seems to come from horde (horde/Browser.php), and some others. According to the weekpedia (<a href="http://en.wikipedia.org/wiki/Ampache" target="_blank">http://en.wikipedia.org/wiki/Ampache</a>) "Ampache has been featured in numerous online blogs and technical articles. One of the more notable was the O'Reilly book Spidering Hacks which tested the security of online applications. Ampache was found to be immune to standard spidering hacks as described in the O'Reilly article, and it has continued that trend by focusing on security during its development. The Code Philosophy listed on Ampache's wiki specifically lists security as one of those most important considerations during application development." Does it make any sense to fiddle something that has always had security as a prime concern? Any comment is welcome. Thanks. -- Paulo Roma Cavalcanti LCG - UFRJ -- fedora-devel-list mailing list <a href="mailto:fedora-devel-list@redhat.com" target="_blank">fedora-devel-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/fedora-devel-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-devel-list</a> </blockquote> Perhaps I am the least well suited to respond as I did some of the initial review. </blockquote> No, on the contrary. <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> However, there are at least 10 bundled libraries with ampache, including pear-XML_RPC, nusoap, getid3, small snippets from Horde, captchaphp, php-Snoopy, etc. In addition to the security benefits, creating the separate package means other packages (even other web apps) can make use of the libraries that would be available in Fedora instead of just ampache. I can empathize with the extra work that this causes, as I am trying to fix a few of these problems with another web app. </blockquote> Maybe we can list all of the packages we would like to have for web applications, and try to set a "task force" to cope with them? I think if we had three or four people willing to help, the work would be concluded fast. There are always people looking forward to contributing, but without a good package to work with. </blockquote> I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. </blockquote> </div> </div> Count me in. I maintain several PHP apps, and having gone through the nightmare of switching from bundled to system libraries, I wholeheartedly agree that using system libraries from the beginning is the best way to go. Using the system lib means that security fixes are done in one place for all apps, and we don't have to patch the apps, or wait for upstream to push an update with an updated bundled lib. I'll help review, etc. </blockquote> <div> Thank you Jon. I will start with getid3. It would be nice if we had a list of packages missing available elsewhere, so people, interested in helping, could choose what to pack. </div> </div> -- Paulo Roma Cavalcanti LCG - UFRJ </blockquote></div></div> You mean like a subcategory of <a href="http://fedoraproject.org/wiki/PackageMaintainers/WishList" target="_blank">http://fedoraproject.org/wiki/PackageMaintainers/WishList</a> ?</div></blockquote><div> Yes, a more specific entry, such as web applications? </div></div> -- Paulo Roma Cavalcanti LCG - UFRJ