[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of ampache: we should declare it unsupported

On Fri, Oct 04, 2019 at 11:53:14AM -0400, Roberto C. Sánchez wrote:
> On Fri, Oct 04, 2019 at 04:45:16PM +0200, Sylvain Beucler wrote:
> > Hi,
> > 
> > The vulnerabilities are important and upstream does not provide any
> > fixed release.
> > This means all ampache installations (Debian and non-Debian) are at risk.
> > 
> > It would be worth explaining the situation to upstream and requesting
> > his explicit stance on the matter.
> > 
> > I believe this will make the decision easier, and contribute to raise
> > awareness about good security practices.
> > 
> Someone already made such a request in the issue, to which the author
> responded with the 39k line commit and the list of "specific changes"
> buried therein.  However, I am not opposed to making a more detailed and
> thorough request with rationale to see if that might yield some useful
> information.
> 
I have commented on the upstream GitHub issue with a request for
assistance from the author.  I am inclined to wait perhaps a week for a
reply.  If no reply is received, or a negative reply, then it would seem
that declaring ampache unsupported might be the only alternative.  If
the author is willing to help, then a new assessment can be made based
on the scope of the changes.

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: