Question about web applications

Jon Ciesla limb at jcomserv.net
Thu Jun 4 13:29:32 UTC 2009


Paulo Cavalcanti wrote:
>
>
> On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <limb at jcomserv.net 
> <mailto:limb at jcomserv.net>> wrote:
>
>     David Nalley wrote:
>
>         On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti
>         <promac at gmail.com <mailto:promac at gmail.com>> wrote:
>          
>
>             On Thu, Jun 4, 2009 at 8:00 AM, David Nalley
>             <david at gnsa.us <mailto:david at gnsa.us>> wrote:
>                
>
>                 On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti
>                 <promac at gmail.com <mailto:promac at gmail.com>> wrote:
>                      
>
>                     Hi,
>
>                     I submitted ampache (http://ampache.org/) for
>                     review, but I was told
>                     that it
>                     could not use any external software
>                     bundled in the code. In fact, it uses getid3, a
>                     file that seems to come
>                     from
>                     horde (horde/Browser.php),
>                     and some others.
>
>                     According to the weekpedia
>                     (http://en.wikipedia.org/wiki/Ampache)
>
>                     "Ampache has been featured in numerous online
>                     blogs and technical
>                     articles.
>                     One of the more notable was the O'Reilly book
>                     Spidering Hacks which
>                     tested
>                     the security of online applications. Ampache was
>                     found to be immune to
>                     standard spidering hacks as described in the
>                     O'Reilly article, and it
>                     has
>                     continued that trend by focusing on security
>                     during its development. The
>                     Code Philosophy listed on Ampache's wiki
>                     specifically lists security as
>                     one
>                     of those most important considerations during
>                     application development."
>
>                     Does it make any sense to fiddle something that
>                     has always had security
>                     as a
>                     prime concern?
>
>                     Any comment is welcome.
>
>                     Thanks.
>
>                     --
>                     Paulo Roma Cavalcanti
>                     LCG - UFRJ
>
>                     --
>                     fedora-devel-list mailing list
>                     fedora-devel-list at redhat.com
>                     <mailto:fedora-devel-list at redhat.com>
>                     https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
>                            
>
>                 Perhaps I am the least well suited to respond as I did
>                 some of the
>                 initial review.
>                      
>
>             No, on the contrary.
>
>                
>
>                 However, there are at least 10 bundled libraries with
>                 ampache,
>                 including pear-XML_RPC, nusoap, getid3, small snippets
>                 from Horde,
>                 captchaphp, php-Snoopy, etc.
>
>                 In addition to the security benefits, creating the
>                 separate package
>                 means other packages (even other web apps) can make
>                 use of the
>                 libraries that would be available in Fedora instead of
>                 just ampache.
>                 I can empathize with the extra work that this causes,
>                 as I am trying
>                 to fix a few of these problems with another web app.
>
>                      
>
>             Maybe we can list all of the packages we would like to
>             have for web
>             applications, and try to set a "task force" to cope with them?
>
>             I think if we had three or four people willing to help,
>             the work would be
>             concluded fast. There are always people looking forward to
>             contributing,
>             but without a good package to work with.
>
>                
>
>
>
>         I think that's an outstanding idea, and I'd be willing to work
>         towards
>         such an end, and perhaps since there is such a prevalence of
>         php we
>         can get some buy-in from the php-sig as well. To illustrate
>         some of
>         the usefulness - I have a web app I am working on now that uses
>         php-Snoopy as ampache also does, so that's at least two
>         applications
>         that can make use of the package.
>
>          
>
>     Count me in. I maintain several PHP apps, and having gone through
>     the nightmare of switching from bundled to system libraries, I
>     wholeheartedly agree that using system libraries from the
>     beginning is the best way to go.  Using the system lib means that
>     security fixes are done in one place for all apps, and we don't
>     have to patch the apps, or wait for upstream to push an update
>     with an updated bundled lib.
>
>     I'll help review, etc.
>
>
> Thank you Jon. I will start with getid3.
>
> It would be nice if we had a list of packages missing available elsewhere,
> so people, interested in helping, could choose what to pack. 
>
>
> -- 
> Paulo Roma Cavalcanti
> LCG - UFRJ
You mean like a subcategory of 
http://fedoraproject.org/wiki/PackageMaintainers/WishList ?

-- 
in your fear, speak only peace
in your fear, seek only love

-d. bowie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090604/eb7685a6/attachment.htm>


More information about the fedora-devel-list mailing list