[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: webapps in stable release cyles Was: flashplugin-nonfree in Debian

Le Wednesday 22 April 2009 12:35:12 Raphael Geissert, vous avez écrit :
> [Dropping -release and -volatile]
>
> Jan Wagner wrote:
> > Hi Romain,
> >
> > On Wednesday 22 April 2009, Romain Beauxis wrote:
> >> However, I wonder if this would need yet another archive, or just an
> >> update of a policy, either in backports.org or volatile..
> >
> > DUNNO for volatile, but the ftp-master of bpo, which is actually doing
> > the main work clarified, that don't like to be responsible for PHP based
> > packages, which is the most potential languages of the applications which
> > matches the criterias.
>
> I think the situation is more or less (please pay attention to that, will
> clarify later) that maintainers don't feel like doing the necessary work to
> fix the issues as they are found. I'm in no way saying that they are lazy
> or irresponsible, web apps are by nature more exposed to security threads
> than most other kind of apps; at times upstreams are not helpful, at times
> upstream lacks the necessary knowledge, at times it is the maintainer, at
> times they are both, at times it is the scripting language as well.
>
> But any app that won't be properly supported should not be shipped in a
> stable release, and proposing yet another repository doesn't feel like the
> right solution. Instead, in the perfect situation, maintainers should learn
> more about the language of the application, the security implications,
> detecting and fixing security issues, etc. so that they take care of their
> packages.
>
> The goal is to work towards improving, not just giving up by creating
> another dump repo.
>
> And since there are cases where it is not feasible or even doable to work
> towards improving the security of the app because of upstream, those cases
> should be re-considered and probably better removed. Re-writting is not
> always a bad idea.

I think you have a wrong view, probably due to the fact that you don't 
maintain or develop webapps (I might be wrong, please apologize in this case).

Security issues in webapps are very very different than for other software. 

Web technologies imply the combined use of a lot of different protocols, 
software, etc.. 

For instance, there are security issues in webapps that are in fact due to the 
combination of both the browser's bad implementation, including software we 
don't actually maintain such as IE, PHP features and the web server options, 
being specific to apache, say.

I have mentioned in my previous email the latest security upload of mediawiki, 
did you just look at it ?

I gave this example precisely because mediawiki upstream release management is 
one of the most serious I know in webapps. And even though they fix issues with 
care, and their code is surely very good, then this ends up with *huge* 
security patches.

Or, are you claiming that we should rewrite mediawiki ?


Romain
Reply to: