Re: State of ampache: we should declare it unsupported
On Fri, Oct 04, 2019 at 11:53:14AM -0400, Roberto C. Sánchez wrote:
> On Fri, Oct 04, 2019 at 04:45:16PM +0200, Sylvain Beucler wrote:
> > Hi,
> >
> > The vulnerabilities are important and upstream does not provide any
> > fixed release.
> > This means all ampache installations (Debian and non-Debian) are at risk.
> >
> > It would be worth explaining the situation to upstream and requesting
> > his explicit stance on the matter.
> >
> > I believe this will make the decision easier, and contribute to raise
> > awareness about good security practices.
> >
> Someone already made such a request in the issue, to which the author
> responded with the 39k line commit and the list of "specific changes"
> buried therein. However, I am not opposed to making a more detailed and
> thorough request with rationale to see if that might yield some useful
> information.
>
I have commented on the upstream GitHub issue with a request for
assistance from the author. I am inclined to wait perhaps a week for a
reply. If no reply is received, or a negative reply, then it would seem
that declaring ampache unsupported might be the only alternative. If
the author is willing to help, then a new assessment can be made based
on the scope of the changes.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: