> True, but this goes for any crappy software and is not specific to > web applications. Perhaps there are more that are crappy, but if you > think this kind of policy is needed you should try to implement it in > some kind of general way, also imposing restrictions on other > packages. maybe that'd be good. e.g: I can't understand how we can have packages that have 'comparison between signed and unsigned ints' warnings at compile time. > I'm wondering if this is a concrete problem or just a theoretical > one? I'm aware that for example openwebmail was packaged which is a > security nightmare, but that has been dealt with and the package will > be removed. Isn't the current practice sufficient? I prefer prevent than deal with. > > if there is some minimalistic requirements, I really believe we can > > drastically reduce the possibility for such problems to arise. > > Another problem here is the question who can or should enforce these > problems. QA team, ftp-masters, the 'tech comitee' or whatever the name of that team is, ... and even if a not compliant app is packaged, filling an RC bug against it will prevent it to enter any frozen distribution. and anyone can open an RC bug. -- ·O· Pierre Habouzit ··O OOO http://www.madism.org
Attachment:
pgp6gm2qvhoAV.pgp
Description: PGP signature