Question about web applications

Thu Jun 4 13:42:35 UTC 2009

On Thu, Jun 4, 2009 at 10:29 AM, Jon Ciesla <limb at jcomserv.net> wrote:

>  Paulo Cavalcanti wrote:
>
>
>
> On Thu, Jun 4, 2009 at 9:28 AM, Jon Ciesla <limb at jcomserv.net> wrote:
>
>>  David Nalley wrote:
>>
>>> On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <promac at gmail.com>
>>> wrote:
>>>
>>>
>>>> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <david at gnsa.us> wrote:
>>>>
>>>>
>>>>> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <promac at gmail.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I submitted ampache (http://ampache.org/) for review, but I was told
>>>>>> that it
>>>>>> could not use any external software
>>>>>> bundled in the code. In fact, it uses getid3, a file that seems to
>>>>>> come
>>>>>> from
>>>>>> horde (horde/Browser.php),
>>>>>> and some others.
>>>>>>
>>>>>> According to the weekpedia (http://en.wikipedia.org/wiki/Ampache)
>>>>>>
>>>>>> "Ampache has been featured in numerous online blogs and technical
>>>>>> articles.
>>>>>> One of the more notable was the O'Reilly book Spidering Hacks which
>>>>>> tested
>>>>>> the security of online applications. Ampache was found to be immune to
>>>>>> standard spidering hacks as described in the O'Reilly article, and it
>>>>>> has
>>>>>> continued that trend by focusing on security during its development.
>>>>>> The
>>>>>> Code Philosophy listed on Ampache's wiki specifically lists security
>>>>>> as
>>>>>> one
>>>>>> of those most important considerations during application
>>>>>> development."
>>>>>>
>>>>>> Does it make any sense to fiddle something that has always had
>>>>>> security
>>>>>> as a
>>>>>> prime concern?
>>>>>>
>>>>>> Any comment is welcome.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> --
>>>>>> Paulo Roma Cavalcanti
>>>>>> LCG - UFRJ
>>>>>>
>>>>>> --
>>>>>> fedora-devel-list mailing list
>>>>>> fedora-devel-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>>>>>>
>>>>>>
>>>>>>
>>>>> Perhaps I am the least well suited to respond as I did some of the
>>>>> initial review.
>>>>>
>>>>>
>>>> No, on the contrary.
>>>>
>>>>
>>>>
>>>>> However, there are at least 10 bundled libraries with ampache,
>>>>> including pear-XML_RPC, nusoap, getid3, small snippets from Horde,
>>>>> captchaphp, php-Snoopy, etc.
>>>>>
>>>>> In addition to the security benefits, creating the separate package
>>>>> means other packages (even other web apps) can make use of the
>>>>> libraries that would be available in Fedora instead of just ampache.
>>>>> I can empathize with the extra work that this causes, as I am trying
>>>>> to fix a few of these problems with another web app.
>>>>>
>>>>>
>>>>>
>>>> Maybe we can list all of the packages we would like to have for web
>>>> applications, and try to set a "task force" to cope with them?
>>>>
>>>> I think if we had three or four people willing to help, the work would
>>>> be
>>>> concluded fast. There are always people looking forward to contributing,
>>>> but without a good package to work with.
>>>>
>>>>
>>>>
>>>
>>>
>>> I think that's an outstanding idea, and I'd be willing to work towards
>>> such an end, and perhaps since there is such a prevalence of php we
>>> can get some buy-in from the php-sig as well. To illustrate some of
>>> the usefulness - I have a web app I am working on now that uses
>>> php-Snoopy as ampache also does, so that's at least two applications
>>> that can make use of the package.
>>>
>>>
>>>
>>  Count me in. I maintain several PHP apps, and having gone through the
>> nightmare of switching from bundled to system libraries, I wholeheartedly
>> agree that using system libraries from the beginning is the best way to go.
>>  Using the system lib means that security fixes are done in one place for
>> all apps, and we don't have to patch the apps, or wait for upstream to push
>> an update with an updated bundled lib.
>>
>> I'll help review, etc.
>>
>>
> Thank you Jon. I will start with getid3.
>
> It would be nice if we had a list of packages missing available elsewhere,
> so people, interested in helping, could choose what to pack.
>
>
> --
> Paulo Roma Cavalcanti
> LCG - UFRJ
>
> You mean like a subcategory of
> http://fedoraproject.org/wiki/PackageMaintainers/WishList ?
>

Yes, a more specific entry, such as web applications?

-- 
Paulo Roma Cavalcanti
LCG - UFRJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090604/aba3d9cb/attachment.htm>