Question about web applications

Thu Jun 4 13:27:33 UTC 2009

On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <limb at jcomserv.net> wrote:

> David Nalley wrote:
>
>> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <promac at gmail.com>
>> wrote:
>>
>>
>>> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <david at gnsa.us> wrote:
>>>
>>>
>>>> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <promac at gmail.com>
>>>> wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I submitted ampache (http://ampache.org/) for review, but I was told
>>>>> that it
>>>>> could not use any external software
>>>>> bundled in the code. In fact, it uses getid3, a file that seems to come
>>>>> from
>>>>> horde (horde/Browser.php),
>>>>> and some others.
>>>>>
>>>>> According to the weekpedia (http://en.wikipedia.org/wiki/Ampache)
>>>>>
>>>>> "Ampache has been featured in numerous online blogs and technical
>>>>> articles.
>>>>> One of the more notable was the O'Reilly book Spidering Hacks which
>>>>> tested
>>>>> the security of online applications. Ampache was found to be immune to
>>>>> standard spidering hacks as described in the O'Reilly article, and it
>>>>> has
>>>>> continued that trend by focusing on security during its development.
>>>>> The
>>>>> Code Philosophy listed on Ampache's wiki specifically lists security as
>>>>> one
>>>>> of those most important considerations during application development."
>>>>>
>>>>> Does it make any sense to fiddle something that has always had security
>>>>> as a
>>>>> prime concern?
>>>>>
>>>>> Any comment is welcome.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Paulo Roma Cavalcanti
>>>>> LCG - UFRJ
>>>>>
>>>>> --
>>>>> fedora-devel-list mailing list
>>>>> fedora-devel-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>>>>>
>>>>>
>>>>>
>>>> Perhaps I am the least well suited to respond as I did some of the
>>>> initial review.
>>>>
>>>>
>>> No, on the contrary.
>>>
>>>
>>>
>>>> However, there are at least 10 bundled libraries with ampache,
>>>> including pear-XML_RPC, nusoap, getid3, small snippets from Horde,
>>>> captchaphp, php-Snoopy, etc.
>>>>
>>>> In addition to the security benefits, creating the separate package
>>>> means other packages (even other web apps) can make use of the
>>>> libraries that would be available in Fedora instead of just ampache.
>>>> I can empathize with the extra work that this causes, as I am trying
>>>> to fix a few of these problems with another web app.
>>>>
>>>>
>>>>
>>> Maybe we can list all of the packages we would like to have for web
>>> applications, and try to set a "task force" to cope with them?
>>>
>>> I think if we had three or four people willing to help, the work would be
>>> concluded fast. There are always people looking forward to contributing,
>>> but without a good package to work with.
>>>
>>>
>>>
>>
>>
>> I think that's an outstanding idea, and I'd be willing to work towards
>> such an end, and perhaps since there is such a prevalence of php we
>> can get some buy-in from the php-sig as well. To illustrate some of
>> the usefulness - I have a web app I am working on now that uses
>> php-Snoopy as ampache also does, so that's at least two applications
>> that can make use of the package.
>>
>>
>>
> Count me in. I maintain several PHP apps, and having gone through the
> nightmare of switching from bundled to system libraries, I wholeheartedly
> agree that using system libraries from the beginning is the best way to go.
>  Using the system lib means that security fixes are done in one place for
> all apps, and we don't have to patch the apps, or wait for upstream to push
> an update with an updated bundled lib.
>
> I'll help review, etc.
>
>
Thank you Jon. I will start with getid3.

It would be nice if we had a list of packages missing available elsewhere,
so people, interested in helping, could choose what to pack.

-- 
Paulo Roma Cavalcanti
LCG - UFRJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090604/beb9b71e/attachment.htm>