Re: Getting a package added to the debian package repository: WACS
Andrew
On Fri, 2010-02-19 at 13:59 +1300, Andrew McMillan wrote:
> Why would you want to restrict local users from reading files which are
> freely downloadable?
Generally the act of downloading is a significant barrier to entry for
many people, particularly those who are not normally the "administrator"
of the system.
I was somewhat surprised to discover that a couple of the people
contributing to and using the project were "family men" who were using a
shared "family" computer for the installation. Since they had choosen
to do that, I felt the best that I could do in response to that type of
usage was to lock down the icons, documentation, and so on such that
another user on the system could not easily access them. Simply making
the web server a member of the wacs group ensured that it could read the
files as needed in order to work without them being open to casual
perusal. The same protections are actively applied to the content each
and every time it is manipulated through the collection management
tools. Anyone in the appropriate group (wacs) can of course read them.
Since the system, by default, requires authentication before showing
anything more than a very cryptic "you don't have permission" screen,
this does make it somewhat protected against casual curiosity.
> I think that debian-mentors is probably a better place to start, other
> than for discussion related to packaging a web application specifically.
I'll send a message to that list shortly.
> I'm sure only the people involved in the industry could say, but I doubt
> that it fits so straightforwardly into the 'making the world a better
> place' ethos of many free software developers.
That's certainly my motivation in releasing it.
> Is it usable for other things as well? I mean I don't really have the
> content to load up into my local porn installation, but if it works
> better than (say) Gallery I might be tempted to use it to display my
> personal (and decidedly non-racy) photographs to the world...
I use gallery2 myself for my own (non-racy) photos.
WACS simply doesn't handle single photos; it handles photostories - a
series of photos that are handled together as a slideshow and have a
determined order of display. It also handles video clips and includes
the infrastructure to index appearances on DVDs as well.
I can certainly see the potential for some other uses - somebody who had
scanned each and every image in a comic book collection for instance -
would probably find many of it's architectural components of significant
use. Similarly people collecting stills of a musician in concert might
wish to represent each concert as a unique photostory with a determined
order of display.
I'd love to see people develop those kind of projects using the
infra-structure we have provided. As someone with a passion for
photographing female nudity, that's not what "lights my candle" but I'm
in no way hostile to it.
> You're marketing it as a Web 'Adult' CMS, but what is it about the
> content that makes it special-cased for that particular vertical?
Basically the database schema. This is designed to represent the
relationships between models, sets, distributors and photographers.
It provides significant features related to keywording and attribute
mark-up - including a fairly unique retrospective keywording engine.
These features are all designed to be very configurable and would be
portable to many other applications, but of course the initial database
load provided with the distribution is of necessity very specific to the
target application.
We did actually discuss this technique and it's applicability to other
uses in some depth during the Photo Management BOF at linux.conf.au.
> is to make us feel guilty about looking sideways at this package.
Not really my intention. Just trying to explain that our motivations
for working on the package are very much the same as for the rest of the
free software movement. I've found over the years that merely because
of the subject matter people seem to become suspicious of ulterior
motives when there really aren't any.
> Your best approach here will be to seek to resolve technical issues and
> questions
I do see the permissions issue as one of the biggest. It's also what
lintian has the biggest problem with, and therefore the (technical) one
that is most likely to need consideration along the road to (hopefully)
acceptance.
I'm really interested in other people's views on whether protecting the
system components in this way is a reasonable precaution to take or an
unacceptable restriction on the other user's rights. I can see both
arguments.
Additionally I would very much hope that if the considered opinion is
that the protection is the right thing to do, that someone would
consider installing the package and doing an audit of what has been
installed and point out to us where there may be chinks in the armour.
I'm thinking about protecting the /usr/share/wacs/docs/ directory with
a .htaccess file that requires a username and password in the upcoming
0.8.5 release. That would partially remove one potential path to
circumvention of the group permissions protection, but it would be hard
to tie that into all of the standard authentication rules for the
system. I'm not sure if it's worth doing or if it would create more
issues than it would resolve.
Maybe guidance to users to simply not install the documentation packages
on "family" computers would be more appropriate. Of course that would
mean there are applications with no associated man pages installed on
the system....
> and to leave the rhetoric about why this is a wonderful
> package and how it will change the world to languish in the description
> field of the debian/control file.
Most of that is on the websites at sourceforge.net and launchpad.net...
Cheers
Beaky.
Reply to: