[Bug 481536] Review Request: enano - Enano CMS, a php-based modular content management system
bugzilla at redhat.com
bugzilla at redhat.com
Fri May 29 18:33:11 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=481536
--- Comment #14 from Toshio Ernie Kuratomi <a.badger at gmail.com> 2009-05-29 14:33:10 EDT ---
For security, that's not really good enough. Sanitising input is necessary
whether you bundle your libraries or not. Bundling means that if foo.php v1.1
has an unintended flaw that allows users to access resources they shouldn't (or
DOS the server or...) even without injection, and upstream foo fixes that by
releasing foo-2.0 we will upgrade the foo package ASAP. But we don't know that
enano is carrying an old, insecure foo-1.1 because you didn't notice the
security announcement or didn't immediately release a new enano version.
System administrators rely on us to keep their software free of security
vulnerabilities. Not bundling libraries is one way that we ensure that.
For the PHP license:
http://www.fsf.org/licensing/licenses/index_html#GPLIncompatibleLicenses
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list