Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote:
> On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote:
> > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote:
> > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote:
> > > > Programming Lang: PHP
> > > > Description : ocPortal is a Content Management System for
> > > > building
> > > >
> > > > and maintaining a dynamic website
> > >
> > > How many content management systems written in php does Debian need?
> > It's not kool that you didn't even ask about how good it is. Maybe it's
> > better than whatever exists in Debian currently, have you checked? My
> > point is your question isn't helpful. It smacks of flaming.
> The question I should have asked is what is it's security record like. This
> is an area that's rife with applications that have 'poor' security records.
> Adding more to that pile would be an unfortunate burden on the security team.
> That's probably the most significant of the project wide costs adding a package
> like this brings with it.
> Scott K
Hi Scott. ocPortal isn't massively widespread compared to other systems,
so there's obviously less experimental proof of security. We had a
security hole a few years ago; this was before I got involved, but
there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms
Official ocPortal releases are managed by ocProducts, a company set up
around ocPortal (and who pay my salary), and we have a clear security
policy which can be found here
We also regularly run static code analysis tools on the codebase and we
test every release with a hacked PHP runtime that 1) triggers errors if
strings are not explicitly sanitised before going through eval, getting
echoed to a browser or being entered into a database, and 2) enforces a
type system on variables and function calls (based on type signatures
written into the PHPdoc of every function), and raises an error if there
is a type mismatch. I actually run this hacked PHP on my system in place
of the distro's own.
If there are specific security concerns I'd be happy to address them.