On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <promac@xxxxxxxxx> wrote: > > > On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <david@xxxxxxx> wrote: >> >> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <promac@xxxxxxxxx> wrote: >> > Hi, >> > >> > I submitted ampache (http://ampache.org/) for review, but I was told >> > that it >> > could not use any external software >> > bundled in the code. In fact, it uses getid3, a file that seems to come >> > from >> > horde (horde/Browser.php), >> > and some others. >> > >> > According to the weekpedia (http://en.wikipedia.org/wiki/Ampache) >> > >> > "Ampache has been featured in numerous online blogs and technical >> > articles. >> > One of the more notable was the O'Reilly book Spidering Hacks which >> > tested >> > the security of online applications. Ampache was found to be immune to >> > standard spidering hacks as described in the O'Reilly article, and it >> > has >> > continued that trend by focusing on security during its development. The >> > Code Philosophy listed on Ampache's wiki specifically lists security as >> > one >> > of those most important considerations during application development." >> > >> > Does it make any sense to fiddle something that has always had security >> > as a >> > prime concern? >> > >> > Any comment is welcome. >> > >> > Thanks. >> > >> > -- >> > Paulo Roma Cavalcanti >> > LCG - UFRJ >> > >> > -- >> > fedora-devel-list mailing list >> > fedora-devel-list@xxxxxxxxxx >> > https://www.redhat.com/mailman/listinfo/fedora-devel-list >> > >> >> >> Perhaps I am the least well suited to respond as I did some of the >> initial review. > > No, on the contrary. > >> >> However, there are at least 10 bundled libraries with ampache, >> including pear-XML_RPC, nusoap, getid3, small snippets from Horde, >> captchaphp, php-Snoopy, etc. >> >> In addition to the security benefits, creating the separate package >> means other packages (even other web apps) can make use of the >> libraries that would be available in Fedora instead of just ampache. >> I can empathize with the extra work that this causes, as I am trying >> to fix a few of these problems with another web app. >> > > Maybe we can list all of the packages we would like to have for web > applications, and try to set a "task force" to cope with them? > > I think if we had three or four people willing to help, the work would be > concluded fast. There are always people looking forward to contributing, > but without a good package to work with. > I think that's an outstanding idea, and I'd be willing to work towards such an end, and perhaps since there is such a prevalence of php we can get some buy-in from the php-sig as well. To illustrate some of the usefulness - I have a web app I am working on now that uses php-Snoopy as ampache also does, so that's at least two applications that can make use of the package. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
