Question about web applications
Jon Ciesla
limb at jcomserv.net
Thu Jun 4 13:29:32 UTC 2009
Paulo Cavalcanti wrote:
>
>
> On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <limb at jcomserv.net
> <mailto:limb at jcomserv.net>> wrote:
>
> David Nalley wrote:
>
> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti
> <promac at gmail.com <mailto:promac at gmail.com>> wrote:
>
>
> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley
> <david at gnsa.us <mailto:david at gnsa.us>> wrote:
>
>
> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti
> <promac at gmail.com <mailto:promac at gmail.com>> wrote:
>
>
> Hi,
>
> I submitted ampache (http://ampache.org/) for
> review, but I was told
> that it
> could not use any external software
> bundled in the code. In fact, it uses getid3, a
> file that seems to come
> from
> horde (horde/Browser.php),
> and some others.
>
> According to the weekpedia
> (http://en.wikipedia.org/wiki/Ampache)
>
> "Ampache has been featured in numerous online
> blogs and technical
> articles.
> One of the more notable was the O'Reilly book
> Spidering Hacks which
> tested
> the security of online applications. Ampache was
> found to be immune to
> standard spidering hacks as described in the
> O'Reilly article, and it
> has
> continued that trend by focusing on security
> during its development. The
> Code Philosophy listed on Ampache's wiki
> specifically lists security as
> one
> of those most important considerations during
> application development."
>
> Does it make any sense to fiddle something that
> has always had security
> as a
> prime concern?
>
> Any comment is welcome.
>
> Thanks.
>
> --
> Paulo Roma Cavalcanti
> LCG - UFRJ
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> <mailto:fedora-devel-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
>
>
> Perhaps I am the least well suited to respond as I did
> some of the
> initial review.
>
>
> No, on the contrary.
>
>
>
> However, there are at least 10 bundled libraries with
> ampache,
> including pear-XML_RPC, nusoap, getid3, small snippets
> from Horde,
> captchaphp, php-Snoopy, etc.
>
> In addition to the security benefits, creating the
> separate package
> means other packages (even other web apps) can make
> use of the
> libraries that would be available in Fedora instead of
> just ampache.
> I can empathize with the extra work that this causes,
> as I am trying
> to fix a few of these problems with another web app.
>
>
>
> Maybe we can list all of the packages we would like to
> have for web
> applications, and try to set a "task force" to cope with them?
>
> I think if we had three or four people willing to help,
> the work would be
> concluded fast. There are always people looking forward to
> contributing,
> but without a good package to work with.
>
>
>
>
>
> I think that's an outstanding idea, and I'd be willing to work
> towards
> such an end, and perhaps since there is such a prevalence of
> php we
> can get some buy-in from the php-sig as well. To illustrate
> some of
> the usefulness - I have a web app I am working on now that uses
> php-Snoopy as ampache also does, so that's at least two
> applications
> that can make use of the package.
>
>
>
> Count me in. I maintain several PHP apps, and having gone through
> the nightmare of switching from bundled to system libraries, I
> wholeheartedly agree that using system libraries from the
> beginning is the best way to go. Using the system lib means that
> security fixes are done in one place for all apps, and we don't
> have to patch the apps, or wait for upstream to push an update
> with an updated bundled lib.
>
> I'll help review, etc.
>
>
> Thank you Jon. I will start with getid3.
>
> It would be nice if we had a list of packages missing available elsewhere,
> so people, interested in helping, could choose what to pack.
>
>
> --
> Paulo Roma Cavalcanti
> LCG - UFRJ
You mean like a subcategory of
http://fedoraproject.org/wiki/PackageMaintainers/WishList ?
--
in your fear, speak only peace
in your fear, seek only love
-d. bowie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090604/eb7685a6/attachment.htm>
More information about the fedora-devel-list
mailing list