Moin in EPEL

Ville-Pekka Vainio vpivaini at cs.helsinki.fi
Tue Jun 16 19:47:21 UTC 2009 

Hi,

I recently took over as the maintainer of the moin package in Fedora and
EPEL. It's my first EPEL package. I've been able to handle the Fedora
side quite well but, to be honest, I'm in a bit of trouble with the EPEL
packages. The thing is, the package has been practically unmaintained
for a year now and I'm quite certain there are security issues with it
(I'd rather not disclose the possible vulnerabilities on a public
mailing list).

The moin version in EPEL is 1.5.9 and upstream has abandoned the 1.5
series completely. From what I've read on mailing lists, IRC and the
Moin documentation, the migration from 1.5 to 1.6 or later can be quite
painful. IIRC the Fedora infrastructure team were testing it before
switching to Mediawiki and they had all kinds of problems with it as
well. This is why I'd rather not submit an update to 1.8, which is the
current stable branch, in EL-4 or EL-5.

Out of the major distributions, Debian Etch aka oldstable has 1.5.3, all
others either don't have Moin at all or have some newer version. Debian
will apparently drop support for Etch on February 2010, at which point
EL-5 has about four (?) years of support left and we'll be on our own
with Moin 1.5.

The most important thing the Moin packages need right now would be for
someone to go through the CVE reports against Moin, the project's own
security page, Debian's security patches and Fedora's security patches,
see which ones need to be applied and build updated packages. I can
start working on this soon, but my free time is somewhat limited right
now.

With these points in mind: 
 - Are there any people on the list who'd like to become co-maintainers 
   or even primary maintainers for Moin in the EPEL branches?
 - Should we just update Moin to a version with upstream support even   
   though it might cause major pain to anyone running the current 
   packages?
 - Related to these questions, once even Debian drops 1.5, is there 
   going to be enough people in the EPEL project to take care of the 
   possible security issues?
 - If not, should we just orphan Moin in EPEL?


-- 
Ville-Pekka Vainio

More information about the epel-devel-list mailing list