[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: webapps in stable release cyles Was: flashplugin-nonfree in Debian

[Don't CC me, thanks]

Romain Beauxis wrote:

> Le Wednesday 22 April 2009 12:35:12 Raphael Geissert, vous avez écrit :
> 
> I think you have a wrong view, probably due to the fact that you don't
> maintain or develop webapps (I might be wrong, please apologize in this
> case).

I do not maintain any web app *in Debian*, but I do develop and maintain web
apps. I don't see the point in making such "probably right" statements.

> 
> Security issues in webapps are very very different than for other
> software.
> 
> Web technologies imply the combined use of a lot of different protocols,
> software, etc..

I don't see think they very very different just because they use different
protocols, software, etc. 

I did say:
> [...] web apps are by nature more exposed to security
> threads than most other kind of apps [...]


> 
> For instance, there are security issues in webapps that are in fact due to
> the combination of both the browser's bad implementation,

Which is handled by proper input sanitising, not trusting what the user
submits.

> PHP features and the web server options

Which can deal with, either by aborting if a given setting is used, or by
normalising.

> being specific to apache, say. 

Which is a bug in the server, not in the web application; and attempting to
fix or workaround it on the latter just makes the web app more b0rken and
often introduces more bugs.

> 
> I have mentioned in my previous email the latest security upload of
> mediawiki, did you just look at it ?
> 

I did look at it

> I gave this example precisely because mediawiki upstream release
> management is one of the most serious I know in webapps. And even though
> they fix issues with care, and their code is surely very good, then this
> ends up with *huge* security patches.
> 
> Or, are you claiming that we should rewrite mediawiki ?

The issue was mostly caused by a design error (or should I say "because it
was not quite the best design" so that it doesn't sound too rough? and no,
I don't and won't claim that my software designs are good or the best; just
in case somebody wanted to troll.)
Just because there are a set of big patches it doesn't mean that the app
should be rewritten (or parts of it, I should have said on my first email.)
I was thinking more about wordpress when I wrote that part; because IMHO
that's the best that could happen to it.
On mediawiki's case there's a huge advantage, because like you said, it is
well supported and it is developed seriously (at least compared to the vast
majority of PHP apps), and patches are available quickly, which is hard or
even impossible to accomplish on an app where fixing one bug exposes four
more.

Cheers,
Raphael Geissert
Reply to: