[Bug 481536] Review Request: enano - Enano CMS, a php-based modular content management system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=481536





--- Comment #14 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx>  2009-05-29 14:33:10 EDT ---
For security, that's not really good enough.  Sanitising input is necessary
whether you bundle your libraries or not.  Bundling means that if foo.php v1.1
has an unintended flaw that allows users to access resources they shouldn't (or
DOS the server or...) even without injection, and upstream foo fixes that by
releasing foo-2.0 we will upgrade the foo package ASAP.  But we don't know that
enano is carrying an old, insecure foo-1.1 because you didn't notice the
security announcement or didn't immediately release a new enano version. 
System administrators rely on us to keep their software free of security
vulnerabilities.  Not bundling libraries is one way that we ensure that.

For the PHP license:
http://www.fsf.org/licensing/licenses/index_html#GPLIncompatibleLicenses

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-package-review

[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]