[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#504283: Bug#526878: Bug#504283: Bug#471801: egroupware adoption or removal?

Hi Jan,

Jan Wagner schrieb:
> Hi Ralf,
> one of the main problem for packaging egroupware (not exclusive relevant for 
> debian) is the huge amount of embedded code copies[1] (search for 
> 'egroupware'). This was the reason to not include egroupware into sarge and is 
> the actual reason for removing from testing. If there pops up a security 
> problem for any embedded code copy, the (egroupware) package needs fixed in 
> any way. The ideal solution would be to get rid of the embeddde code copies in 
> the egroupware debian package and use the debian package of the embedded code 
> copy. For example with phpmailer, just the phpmailer package needs to be fixed 
> and egroupware is not vuln anymore.
> The actual problem is, to fix the problem in the egroupware package too, which 
> is a big security mess.

Unfortunately the problem is more complex. Here are a few reasons why
code it embed into EGroupware instead of using external libraries:

- upstream did not accepted patches necessary for bugfixes or
enhancements (eg. CalDAV support via HTTP_WebDAV_Server)
- missing time and resources to communicate and negotiate with upstream
to accept required modifications
- not creating more dependencies for inexperienced users mostly using
zip archives under windows (I know that matters not for Debian, but it's
important for our user base). So far we only have dependencies in either
PHP extensions or PEAR packages (for the EGroupware core).
- sharing authentication and sessions with other external applications,
can usually not be archived with just a parallel installation. Even if
the software is untouched (as for example Gallery2) we need to provide
configuration files (fetching their data from EGroupware) within their
code trees
- other stuff like eg. FCKeditor requires to create and/or configure a
serverside backend

I know most of the above can be solved, if we look only on Debian and
EGroupware developers had more resources to spend in that area.

Looking at the exploits of the last years - the majority was caused by
embed code - most were fixed within days of coming to my knowledge. That
process of cause only starts, after the upstream projects published.

> So if you could take this code copy issue into account, the conditions for 
> egroupware in debian would benefit a lot.
> Thanks and with kind regards, Jan.
> [1] http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file

This list is not up to date. It lists all problems as unfixed, which is
not the case: the exploits in these embedded packages are either:
- fixed in the most current EGroupware packages or
- can not be executed in EGroupware (eg. we use only SMTP in phpMailer)

Independent of how EGroupware is maintained in Debian in future, I'm
happy to work closer together with Debian Security Team, to get earlier
information about exploits in embedded code and coordinate security fixes.

If I'm going to maintain EGroupware in Debian, everyone can expect
same-time releases of Debian packages (to experimental), as the other
rpm packages or archives of EGroupware.

I will of cause very like try to handle at least the Linux packages of
EGroupware as close as possible together - thought in the past mostly
rpm packages benefit from the already nice Debian packages.

I made now many fixes and enhancements to our commercial Debian
packages, which I plan to integrate (or report back) to Debian.

Anyway most important for me is that EGroupware stays in Debian.
I'm happy if we (EGroupware project) have a competent and timely
available Debian maintainer, as we had in the past with Peter.

Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: rb@stylite.de


Geschäftsführer Andre Keller, Gudrun Müller,
	Nigel Vickers und Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

Reply to: