Moin in EPEL
Ville-Pekka Vainio
vpivaini at cs.helsinki.fi
Tue Jun 16 19:47:21 UTC 2009
Hi,
I recently took over as the maintainer of the moin package in Fedora and
EPEL. It's my first EPEL package. I've been able to handle the Fedora
side quite well but, to be honest, I'm in a bit of trouble with the EPEL
packages. The thing is, the package has been practically unmaintained
for a year now and I'm quite certain there are security issues with it
(I'd rather not disclose the possible vulnerabilities on a public
mailing list).
The moin version in EPEL is 1.5.9 and upstream has abandoned the 1.5
series completely. From what I've read on mailing lists, IRC and the
Moin documentation, the migration from 1.5 to 1.6 or later can be quite
painful. IIRC the Fedora infrastructure team were testing it before
switching to Mediawiki and they had all kinds of problems with it as
well. This is why I'd rather not submit an update to 1.8, which is the
current stable branch, in EL-4 or EL-5.
Out of the major distributions, Debian Etch aka oldstable has 1.5.3, all
others either don't have Moin at all or have some newer version. Debian
will apparently drop support for Etch on February 2010, at which point
EL-5 has about four (?) years of support left and we'll be on our own
with Moin 1.5.
The most important thing the Moin packages need right now would be for
someone to go through the CVE reports against Moin, the project's own
security page, Debian's security patches and Fedora's security patches,
see which ones need to be applied and build updated packages. I can
start working on this soon, but my free time is somewhat limited right
now.
With these points in mind:
- Are there any people on the list who'd like to become co-maintainers
or even primary maintainers for Moin in the EPEL branches?
- Should we just update Moin to a version with upstream support even
though it might cause major pain to anyone running the current
packages?
- Related to these questions, once even Debian drops 1.5, is there
going to be enough people in the EPEL project to take care of the
possible security issues?
- If not, should we just orphan Moin in EPEL?
--
Ville-Pekka Vainio
More information about the epel-devel-list
mailing list