Question about web applications
David Nalley
david at gnsa.us
Thu Jun 4 11:00:25 UTC 2009
On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <promac at gmail.com> wrote:
> Hi,
>
> I submitted ampache (http://ampache.org/) for review, but I was told that it
> could not use any external software
> bundled in the code. In fact, it uses getid3, a file that seems to come from
> horde (horde/Browser.php),
> and some others.
>
> According to the weekpedia (http://en.wikipedia.org/wiki/Ampache)
>
> "Ampache has been featured in numerous online blogs and technical articles.
> One of the more notable was the O'Reilly book Spidering Hacks which tested
> the security of online applications. Ampache was found to be immune to
> standard spidering hacks as described in the O'Reilly article, and it has
> continued that trend by focusing on security during its development. The
> Code Philosophy listed on Ampache's wiki specifically lists security as one
> of those most important considerations during application development."
>
> Does it make any sense to fiddle something that has always had security as a
> prime concern?
>
> Any comment is welcome.
>
> Thanks.
>
> --
> Paulo Roma Cavalcanti
> LCG - UFRJ
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
Perhaps I am the least well suited to respond as I did some of the
initial review.
However, there are at least 10 bundled libraries with ampache,
including pear-XML_RPC, nusoap, getid3, small snippets from Horde,
captchaphp, php-Snoopy, etc.
In addition to the security benefits, creating the separate package
means other packages (even other web apps) can make use of the
libraries that would be available in Fedora instead of just ampache.
I can empathize with the extra work that this causes, as I am trying
to fix a few of these problems with another web app.
More information about the fedora-devel-list
mailing list