Re: RFS: elgg

To: debian-mentors@lists.debian.org
Subject: Re: RFS: elgg
From: Paul Wise <pabs@debian.org>
Date: Sat, 2 May 2009 14:05:46 +0800
Message-id: <[🔎] e13a36b30905012305h43ddcd07sb0f2bce0863e6539@mail.gmail.com>
In-reply-to: <[🔎] f27e4e480905011018x104c27cet8394565587986cbf@mail.gmail.com>
References: <[🔎] f27e4e480905011018x104c27cet8394565587986cbf@mail.gmail.com>

On Sat, May 2, 2009 at 1:18 AM, Brett Profitt <brett.profitt@gmail.com> wrote:
> Dear mentors,
>
> I am looking for a sponsor for my package "elgg".
>
> * Package name    : elgg
>  Version         : 1.5-1
>  Upstream Author : Curverider LLT <info@curveriderhq.com>
> * URL             : http://www.elgg.org
> * License         : GPL 2 (some components MIT, LGPL-2.1, and
> GPL-compatible custom licenses)
>  Section         : web
>
> It builds these binary packages:
> elgg       - PHP-based social networking framework
>
> The package appears to be lintian clean.
>
> The upload would fix these bugs: 526197
>
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/e/elgg
> - Source repository: deb-src http://mentors.debian.net/debian unstable
> main contrib non-free
> - dget http://mentors.debian.net/debian/pool/main/e/elgg/elgg_1.5-1.dsc
>
> I would be glad if someone uploaded this package for me.  Failing
> that, I would like any helpful comments and criticisms of the package.

First, here is an unhelpful one: eeep, PHP!! :)

Now on to the constructive criticism (based on the diff.gz only):

It is the sysadmin's responsibility to determine which vhost(s) and
URL location they want to assign to elgg, please do not set an Alias
in the apache configuration, the <Directory> is fine though. The
entries in the crontab file should be disabled by default since you
can't know what URL the sysadmin used.

Isn't an apache reload enough, why do you need restart?

The postrm makes me think that elgg can't do multiple sites on the
same machine, is that the case?

Your debian/rules and debian/copyright files make me think that elgg
contains multiple embedded code copies (tinymce, kses, twitter,
zaudio, vendors/* and probably more), please fix that.

Please clean up the watch file, it only needs to be 2 lines long.

Does elgg allow files to be uploaded? If so please set some apache
config to turn off PHP, CGI, WSGI etc and return all other files as
plain text or generic binary files.

What is the security history of elgg? Any CVEs released?

Does the code use prepared SQL statements or manually-assembled
queries? The former should be preferred to prevent SQL-injection
vulnerabilities.

Please get your debconf templates reviewed on debian-l10n-english and
translated by folks on debian-i18n

Don't forget to send patches upstream.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

References:
- RFS: elgg
  - From: Brett Profitt <brett.profitt@gmail.com>

Prev by Date: Re: RFS: dnshistory (updated package)
Next by Date: Re: RFS: bosh
Previous by thread: RFS: elgg
Next by thread: Re: RFS: elgg
Index(es):
- Date
- Thread