[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774382: Fwd: poor code quality in shaarli package, remove from Debian?

---------- Forwarded message ----------
From: Emilien Klein <emilien+debian@klein.st>
Date: 2014-12-31 21:52 GMT-05:00
Subject: Re: poor code quality in shaarli package, remove from Debian?
To: Paul Wise <pabs@debian.org>
Cc : Debian Security <security@debian.org>, Georges Khaznadar
<georgesk@debian.org>, Julien Voisin <julien.voisin@dustri.org>,
nodiscc <nodiscc@gmail.com>


Adding nodiscc in CC, the main pusher of the community fork.

2014-12-31 21:20 GMT-05:00 Paul Wise <pabs@debian.org>:
> Hi folks,
>
> I was discussing the CVE issued for the shaarli package with the person
> who found the issues (Julien, CCed)

Can you link to that CVE?
I will reported this upstream (github) to make the original upstream
developer and the community fork developers aware of it.

>  and came to the conclusion that the
> code is terrible, upstream maintenance has stopped and the package
> should be removed from Debian entirely. Here is our IRC log:
>
> <jvoisin> I'm quite sure that no one should use shaarli anyway. It's not maintained, and the code is awful :/
> <pabs> do you think it should be removed from Debian?
> <jvoisin> https://github.com/sebsauvage/Shaarli/ Last commit one year ago, almost 100 issues, …
> <jvoisin> I think so, yes
> <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302
> <pabs> seems reasonably well maintained in Debian, so I would suggest filing a bug on the package itself about this
> <jvoisin> This is not even remotely funny.
> <pabs> it seems pointless but what would the downside be?
> <jvoisin> This is predictable
> <jvoisin> and https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like an arbitrary redirect to me
> <jvoisin> Anyway, I don't care that much about this 2500LoC PHP script
> <pabs> there are several more instances of this in the code
> <jvoisin> yup

The version currently packaged in Debian is from the [hopefully
temporary] community fork [0], due to the inactivity on the side of
the original developer.
[0] https://github.com/shaarli/Shaarli

We are working with the original developer to get things moving again
[1], but he has indicated that he doesn't expect to be able to merge
the community fork before spring.
[1] https://github.com/sebsauvage/Shaarli/issues/191#issuecomment-68188141

The last "officially" released version is 0.0.41beta (don't ask about
the versioning scheme... community fork going to 1.0 soon), the
version in Debian called 0.0.42beta is the state as represented in
HEAD of the official repo, but the fork is already almost 70 commits
further, fixing bugs, merging pull requests made towards upstream.
There is activity, as the users of Shaarli do demand that. Hence my
original effort to package that in Debian.
Since a large number of changes were made around/after the Jessie
freeze, I am currently waiting for Jessie to be released to push for
the release of a new community version, and package that in Debian.

I would much rather have shaarli removed from Jessie for now, but kept
in unstable/testing so that we can include the latest fixes from the
community fork, and include a fix for the mentioned CVE.
Is that an acceptable solution, security-wise?

    +Emilien
Reply to: