Re: phpMyAdmin: security bugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 19 Oct 2013, Robert Scheck wrote:


On Wed, 09 Oct 2013, Paul Wouters wrote:

I'm not a really user of phpMyAdmin so if someone who actually uses
this package wishes to take maintainership, please do!


you noticed, that you pushed yet another version of phpMyAdmin with a *.swf
file that is somehow "proprietary" because we do not build the *.swf from
source? I as the package maintainer of phpMyAdmin would have expected that
you also are getting in touch with me at all - I can not find any e-mail in
my mailbox from you... :-(


I'd have to check if I mailed you. I did post publicly to the devel
list.

All I did was bump the release a minor number and some sanity
checks and put it in updates-testing for people to test. I would assume
the maintainer would notice this in a couple of days.

If you are making changes from the original source ball, you should
really make a note of that in the spec file so others are aware of this.
Look at the openssl tarball for an example of how to store modified from
upstream tar balls into the fedora repository. The tarball is renamed to
clearly indicate it is modified from upstream.


Anyway, thank you for solving this security issue. And also thank you that
you were the guy uploading and building package - after all the package
owners/maintainers were noticed about *.swf files in their packages... ;-)


But it still took 10 days for you to notice? phpMyAdmin is unfortunately
not very robust yet deployed everywhere without additional .htaccess
around it. It's often abused for compromising servers.


On the other hand, I would like to ask you to revisit e.g. RHBZ#959946 [1]
before asking others to step up as maintainers for phpMyAdmin. So there is
enough work left, before any other (especially non-security) phpMyAdmin
update should happen.


I was under the impression the maintainer was MIA. What I meant to
convey was "I'm not a good maintainer for this package, because I don't
use it". So I was mostly saying I do not wish to be the maintainer. And
I was surely not going to bump the major version in a package that I do
not deploy in production (anymore) myself. So please interpret my
request as only to signifiy that I did not want to be a maintainer.

Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux