massfiling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
The Debian Apache team has been auditing all packages that depend on apache. [1]
This is part of our ongoing efforts to ensure the highest quality Apache 1.3
packages possible.
We have identified various problems that may result in bugs being filed on
various packages. We'd like to achieve some kind of consensus before we do
this.
The main problems are:
1) Packages changing user configuration files in a dangerous manner
(RC bugs)
2) Unclear use of dependencies
(Severity: normal if this is not done intentionally.)
3) Packages using apacheconfig or the soon to be renamed modules-config.
Important Notes:
- - The package lists are not in a specific order
- - Packages can appear in more than one section
- - The BTS has not yet been checked for duplicates.
This will occur before any bug reports are filed.
- - Packages that the Apache team maintain are not listed here, although they
may suffer from some of these problems. They will be fixed once consensus is
reached.
- - The analysis is not perfect! There may well be false positives, although we
have attempted to avoid this. If this is the case, please let us know.
Detailed analysis
- -----------------
1) The following packages edit user configuration files.
Several tools are available to facilitate this kind of operation, such as ucf,
/usr/share/apache/listconffiles and postinst.common.
We will be happy to help maintainers who wish to make use of these facilities.
Package: wwwconfig-common
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: scripts provided to handle apache config files can mangle user
configuration files without user permission and can remove user
specific settings
NOTE: wwwconfig-common is used by a large number of packages.
For some of those packages there is an extensive comment, for others only a
short note.
Packages that do not match any criteria of this report but use
wwwconfig-common are not reported, since a simple apt-cache rdepends will show
all of them.
It could be argued that it is not wwwconfig-common's role to provide certain
checks, but it is certainly easier to fix the problem correctly in one central
location, rather than duplicate code per package.
Package: libapache-mod-webapp
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: maint scripts can mangle httpd.conf
Package: fibusql
Maintainer: Martin Pitt <mpitt@debian.org>
Problem: maint scripts can mangle httpd.conf user changes
Package: jffnms
Maintainer: Craig Small <csmall@debian.org>
Problem: maint scripts can mangle httpd.conf user changes
Package: nagios-*
Maintainer: Turbo Fredriksson <turbo@debian.org>
Problem: maint scripts can mangle httpd.conf user changes
Package: phpmyadmin
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: maint scripts can mangle httpd.conf user changes
Package: remstats
Maintainer: Robert Jordens <jordens@debian.org>
Problem: maint scripts can mangle /etc/apache/*.conf (it also
uses www-config) and supports only apache
Package: libapache-mod-dav
Maintainer: Andreas Barth <aba@not.so.argh.org>
Problem: maint scripts can mangle httpd.conf user changes
Package: sympa
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Severity: wishlist
Problem: Could either switch to use conf.d to avoid touching httpd.conf
or otherwise use ucf.
(It does ask the user)
Package: phpwiki
Maintainer: Matthew Palmer <mpalmer@debian.org>
Severity: wishlist
Problem: Could either switch to use conf.d to avoid touching httpd.conf
or otherwise use ucf.
(It does ask the user)
Package: dpkg-www
Maintainer: Massimo Dal Zotto <dz@debian.org>
Severity: wishlist
Problem: Could either switch to use conf.d to avoid touching httpd.conf
or otherwise use ucf.
(It does ask the user)
Package: libapache-mod-gzip
Maintainer: Ryszard Lach <rla@debian.org>
Severity: wishlist
Problem: Could either switch to use conf.d to avoid touching httpd.conf
or otherwise use ucf.
2) The following packages have an unclear use of dependencies.
a) web applications:
apache, apache-ssl and apache-perl all provide a fully functional httpd whilst
some applications only depends on one of them (typically apache). Unless
there is a specific incompatibility between the application and a flavour
of apache, there is no reason to limit our users to a single flavour.
If we want to consider a more global scenario there is no reason for an
application to be specific to apache* and it could depend on httpd [2].
b) external apache* modules:
An external module should Depend solely on apache-common. Should the module
need to maintain a strict dependency, this should be expressed as:
Depends: apache-common (>= $this_ver), apache-common (<< $next_ver-0)
Also, if a module is known to be incompatible with one
apache flavour it is possible for us to 'blacklist' the module so that
it will not be enabled automatically. See README.modules for further
information.
Package: education-main-server
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Problem: It depends specifically on apache
Package: libapache-mod-frontpage-mirfak
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl
Package: www-sql
Maintainer: Hamish Moffatt <hamish@debian.org>
Problem: It does not depend/support apache-perl
Package: twiki
Maintainer: Sven Dowideit <svenud@ozemail.com.au>
Problem: It does not depend/support apache-perl
Package: sympa
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Problem: It does not depend/support apache-perl
Package: spip
Maintainer: Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>
Problem: It does not depend/support apache-perl, and it does not support
apache-ssl in postinst (even though it's declared as a dependecy)
and it uses wwwconfig-common (see above)
Package: sork-vacation
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl
Package: sork-forwards
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl
Package: sork-accounts
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl
Package: slash
Maintainer: Eric Van Buggenhaut <ericvb@debian.org>
Problem: It does not depend/support apache-perl and it could either switch
to use conf.d to avoid touching httpd.conf or otherwise use ucf.
Package: pyca
Maintainer: Lars Bahner <bahner@debian.org>
Problem: It does not depend/support apache-perl
Package: openwebmail
Maintainer: Sergio Rua <srua@debian.org>
Problem: It does not depend/support apache-perl and it could either switch
to use conf.d to avoid touching httpd.conf or otherwise use ucf.
Package: opendb
Maintainer: Benoit Joly <benoit@debian.org>
Problem: It does not depend/support apache-perl and it could either switch
to use conf.d to avoid touching httpd.conf or otherwise use ucf.
Package: onshore-timesheet
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It does not depend/support apache-perl
Package: omlcs
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl
Package: mediamate
Maintainer: Jamin W. Collins <jcollins@asgardsrealm.net>
Problem: It does not depend/support apache-perl (it actually uses
wwwconfig-common)
Package: mailreader
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It does depend/support only apache-ssl
Package: libapache-mod-webapp
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It does not depend/support apache-perl and it only supports
apache at postinst phase
Package: libapache-mod-encoding
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Problem: It does not depend/support apache-perl
Package: ldap-account-manager
Maintainer: Roland Gruber <post@rolandgruber.de>
Problem: It does not depend/support apache-perl (it actually uses
wwwconfig-common)
Package: interchange-ui
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Problem: It only suggests apache-ssl | libapache-mod-ssl (perhaps it is
correct)
Package: interchange
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Problem: It only suggests apache-ssl | libapache-mod-ssl (perhaps it is
correct)
Package: imp3
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl (it actually uses
wwwconfig-common)
Package: htcheck-php
Maintainer: Marco Nenciarini <mnencia@debian.org>
Problem: It does not depend/support apache-perl
Package: horde2
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It does not depend/support apache-perl (it actually uses
wwwconfig-common)
Package: gween
Maintainer: Jonas Meurer <mejo@debian.org>
Problem: It does not depend/support apache-perl (it actually uses
wwwconfig-common)
Package: dcl
Maintainer: Jeff Bailey <jbailey@nisa.net>
Problem: It does not depend/support apache-perl
Package: apt-cacher
Maintainer: Jonathan Oxer <jon@debian.org>
Problem: It does not depend/support apache-perl
Package: logtrend-visuapache
Maintainer: Jean-Francois Dive <jef@debian.org>
Problem: It does not depend/support apache-ssl
Package: libapache-reload-perl
Maintainer: Michael Alan Dorman <mdorman@debian.org>
Problem: It does not depend on apache/apache-ssl
Package: libapache-db-perl
Maintainer: Ivan Kohler <ivan-debian@420.am>
Problem: It does not depend on apache/apache-ssl
Package: libapache-authensmb
Maintainer: Will Lowe <lowe@debian.org>
Problem: It does not depend on apache/apache-ssl
Package: acidlab
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Problem: It does not depend on apache-perl/apache-ssl (it actually uses
wwwconfig-common)
Package: backuppc
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Problem: It does not depend on apache-perl/apache-ssl (it actually uses
wwwconfig-common)
Package: dacode
Maintainer: Benjamin Drieu <benj@debian.org>
Problem: It does not depend on apache-perl/apache-ssl (it actually uses
wwwconfig-common)
Package: dpkg-www
Maintainer: Massimo Dal Zotto <dz@debian.org>
Problem: It does not depend on apache-perl/apache-ssl and does not
support apache-perl
Package: eskuel
Maintainer: Indra Kusuma <indra@kusuma.or.id>
Problem: It does not depend on apache-perl/apache-ssl
Package: fibusql
Maintainer: Martin Pitt <mpitt@debian.org>
Problem: It does not depend/support apache-perl
Package: jffnms
Maintainer: Craig Small <csmall@debian.org>
Problem: It does not depend on apache-perl/apache-ssl and it does
not support apache-perl
Package: jsboard
Maintainer: Ki-Heon Kim <khkim@debian.org>
Problem: It does not depend on apache-perl/apache-ssl (it actually uses
wwwconfig-common)
Package: libapache-mod-backhand
Maintainer: James Bromberger <james@rcpt.to>
Problem: It does not depend on apache-common
Package: libapache-mod-scgi
Maintainer: Neil Schemenauer <nas@debian.org>
Problem: It does not depend on apache-common
Package: libapache-mod-scribe
Maintainer: Kevin M. Rosenberg <kmr@debian.org>
Problem: It does not depend on apache-common, it uses a non-standard
directory for the DSO module.
Package: lurker
Maintainer: Jonas Meurer <mejo@debian.org>
Problem: It does not support apache-perl (it actually uses wwwconfig-common)
Package: moodle
Maintainer: Isaac Clerencia <isaac@sindominio.net>
Problem: It does not support apache-perl (it actually uses
wwwconfig-common)
Package: mysource
Maintainer: Sam Johnston <samj@aos.net.au>
Problem: It does not depend on apache-perl/apache-ssl
Package: nagios-*
Maintainer: Turbo Fredriksson <turbo@debian.org>
Problem: It does not support apache-perl
Package: phpgroupware
Maintainer: Thomas Viehmann <tv@beamnet.de>
Problem: It does not support apache-perl (it actually uses
wwwconfig-common)
Package: phppgadmin
Maintainer: Isaac Clerencia <isaac@sindominio.net>
Problem: It does not support apache-perl (it actually uses
wwwconfig-common)
Package: phpqladmin
Maintainer: Turbo Fredriksson <turbo@debian.org>
Problem: It does not support apache-perl (it actually uses
wwwconfig-common)
Package: spip-eva
Maintainer: Gaetan RYCKEBOER <gaetan@virtual-net.fr>
Problem: It does not depend/support apache-perl/apache-ssl (it actually uses
wwwconfig-common)
Package: tutos
Maintainer: Dimitri Fontaine <dfontaine@cvf.fr>
Problem: It does not depend on apache-perl/apache-ssl and it
does not support apache-perl (it actually uses wwwconfig-common)
Package: w3c-markup-validator
Maintainer: Frederic Schutz <schutz@mathgen.ch>
Problem: It does not support apache-perl (it actually uses
wwwconfig-common)
Package: libapache-auth-ldap
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It does not support apache-perl
Package: php3
Maintainer: Petr Cech <cech@debian.org>
Problem: It does not support apache-perl
Package: libapache-mod-acct-*
Maintainer: Luigi Gangitano <luigi@debian.org>
Problem: It does not support apache-perl (it actually uses wwwconfig-common)
Package: libapache-mod-auth-curdir
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-auth-pam
Maintainer: Luca Filipozzi <lfilipoz@debian.org>
Problem: It does not support apache-perl
Package: libapache-mod-auth-pgsql
Maintainer: Alberto Gonzalez Iniesta <agi@agi.as>
Problem: It does not support apache-perl
Package: libapache-mod-dtcl
Maintainer: David N. Welton <davidw@debian.org>
Problem: It does not support apache-perl
Package: libapache-mod-fastcgi
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It does not support apache-perl
Package: libapache-mod-limitipconn
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-musicindex
Maintainer: Thibaut VARENE <varenet@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-proxy-add-forward
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-rpaf
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-ruby
Maintainer: Shugo Maeda <shugo@debian.org>
Problem: It does not support apache-perl/apache-ssl (prerm)
Package: libapache-mod-speedycgi
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Problem: It does not support apache-perl
Package: libapache-mod-tsunami
Maintainer: Julien Danjou <acid@debian.org>
Problem: It does not support apache-perl/apache-ssl
Package: libapache-mod-witch
Maintainer: Tamas SZERB <toma@rulez.org>
Problem: It does not support apache-perl/apache-ssl
3) Packages using apacheconfig or the soon to be renamed modules-config
A lot of noise has been made, understandably, regarding the introduction of
modules-config. We intend to rename modules-config to apache-modconf. The
eventual aim is to produce a generic system that any modular server can use
to support modules.
In the short term, we will include a compatability link from modules-config
to apache-modconf.
On the flipside of the coin, a number of modules still utilise apacheconfig,
which is both deprecated and probably dangerous.
The current plan is to file a normal or minor bug on each external module
that makes use of modules-config to request that they transition to using
apache-modconf.
Any modules still using apacheconfig will recieve a Severity: Important bug
to request they stop using apacheconfig entirely.
Of course, migrating away from modules-config is also fine in either situation.
[3]
Two important notes:
a) The way in which packages use modules-config/apache-modconf.
Most maintainers used our examples for postinst/prerm. We have
now fixed some problems in the prerm phase, and therefore suggest that
maintainers should check their scripts against the new examples we provide
in README.modules, which ensures that apache-modconf exists before
attempting to use it.
(http://cvs.raw.no/cgi-bin/viewcvs.cgi/debian-apache/debian/README.modules)
b) during the audit we realised that a number of modules and applications need
the ability to query the availability of a specific module in the server
configuration. To acheive this, a new "query" target has been added to
apache-modconf. We recommend that this should be taken as the canonical
way to query for the availability of the module.
Package: libapache-mod-frontpage-mirfak
Maintainer: Ola Lundqvist <opal@debian.org>
Problem: It still uses apacheconfig
Package: twiki
Maintainer: Sven Dowideit <svenud@ozemail.com.au>
Problem: It still uses apacheconfig (and wwwconfig-common)
Package: libapache-mod-webapp
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It implements it's own system to add/remove module based on
apacheconfig
Package: libapache-mod-dynvhost
Maintainer: Martin List-Petersen <martin@list-petersen.dk>
Problem: It still uses apacheconfig
Package: libapache-mod-backhand
Maintainer: James Bromberger <james@rcpt.to>
Problem: It still uses apacheconfig
Package: libapache-mod-interchange
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Problem: It does not have a postinst (that can be fine)
Package: libapache-mod-aspseek
Maintainer: Matt Sullivan <aspseek@sullivan.gen.nz>
Problem: It does not have a postinst (that can be fine)
Package: libapache-mod-scgi
Maintainer: Neil Schemenauer <nas@debian.org>
Problem: It does not have a postinst (that can be fine)
Package: libapache-auth-ldap
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It still uses apacheconfig
Package: php3
Maintainer: Petr Cech <cech@debian.org>
Problem: It still uses apacheconfig
Package: libapache-csacek
Maintainer: Petr Cech <cech@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-aspseek
Maintainer: Matt Sullivan <aspseek@sullivan.gen.nz>
Problem: It does not have a postinst (that can be fine)
Package: libapache-mod-auth-curdir
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-auth-pam
Maintainer: Luca Filipozzi <lfilipoz@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-auth-pgsql
Maintainer: Alberto Gonzalez Iniesta <agi@agi.as>
Problem: It still uses apacheconfig
Package: libapache-mod-auth-useragent
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-cgi-debug
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-dtcl
Maintainer: David N. Welton <davidw@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-fastcgi
Maintainer: Debian QA Group <packages@qa.debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-filter
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-index-rss
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-ldap
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-limitipconn
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-mp3
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-musicindex
Maintainer: Thibaut VARENE <varenet@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-proxy-add-forward
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-random
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-relocate
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-repository
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-rpaf
Maintainer: Piotr Roszatycki <dexter@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-ruby
Maintainer: Shugo Maeda <shugo@debian.org>
Problem: It still uses apacheconfig in prerm but it does not
have a postinst (that can be fine)
Package: libapache-mod-speedycgi
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-text2html
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-trigger
Maintainer: Pawel Wiecek <coven@debian.org>
Problem: It still uses apacheconfig
Package: libapache-mod-witch
Maintainer: Tamas SZERB <toma@rulez.org>
Problem: It still uses apacheconfig
Packages that should switch to use apache-modconf:
Package: libapache-mod-jk
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Package: libapache-mod-encoding
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Package: ilohamail
Maintainer: Joerg Jaspert <joerg@debian.org>
Package: php4
Maintainer: Adam Conrad <adconrad@0c3.net>
Package: libapache-mod-auth-kerb
Maintainer: Miguel A. Arevalo <marevalo@marevalo.net>
Package: libapache-mod-auth-mysql
Maintainer: Matthew Palmer <mpalmer@debian.org>
(postinst/postrm need some extra changes)
Package: libapache-mod-auth-plain
Maintainer: Piotr Roszatycki <dexter@debian.org>
Package: libapache-mod-auth-shadow
Maintainer: Marcin Owsiany <porridge@debian.org>
Package: libapache-mod-dav
Maintainer: Andreas Barth <aba@not.so.argh.org>
Package: libapache-mod-gzip
Maintainer: Ryszard Lach <rla@debian.org>
Package: libapache-mod-layout
Maintainer: Preston Smith <psmith@foobird.net>
Package: libapache-mod-lisp
Maintainer: Matthew Danish <mrd@debian.org>
Package: libapache-mod-python-*
Maintainer: Peter Hawkins <peterh@debian.org>
Package: libapache-mod-security
Maintainer: Bruno Rodrigues <bruno.rodrigues@litux.org>
Package: libapache-mod-tsunami
Maintainer: Julien Danjou <acid@debian.org>
Regards,
The Apache Maintainers Team
[1] list created using apt-cache rdepend for all apache 1.3 binaries
on the 30th of March
[2] Depends: httpd has not been analysed
[3] Since some packages are orphaned and the transition is relatively simple
perhaps it would be a good exercise for NM without packages to take care
of them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAgq7thCzbekR3nhgRAsC4AJ9U4G4x4M+lsPZquuOVIGE0HmSfpwCfSR1d
aqgWB/WLfODW2joQkiF9q8w=
=8L0h
-----END PGP SIGNATURE-----
Reply to: