Bug#312413: ITP: serendipity -- PHP Weblog/Blog software

To: Moritz Muehlenhoff <jmm@inutil.org>, 312413@bugs.debian.org
Cc: Penny Leach <penny@she.geek.nz>
Subject: Bug#312413: ITP: serendipity -- PHP Weblog/Blog software
From: Penny Leach <penny@wadda.org>
Date: Wed, 15 Jun 2005 10:29:48 +1200
Message-id: <[🔎] 42AF5A5C.6050204@wadda.org>
Reply-to: Penny Leach <penny@wadda.org>, 312413@bugs.debian.org
In-reply-to: <[🔎] 20050608110741.GA8855@informatik.uni-bremen.de>
References: <4cVGn-4si-5@gated-at.bofh.it> <[🔎] 20050608110741.GA8855@informatik.uni-bremen.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Moritz,

on 8/6/05 11:07 PM Moritz Muehlenhoff said the following:
| Plus a disturbing constant flow of security vulnerabilities; eight
alone for
| 2005. Do they have a clear policy of documenting issues or do they only
| provide new releases without documenting the vulnerabilities? (This would
| make support for a stable release close to impossible).

Fair question,  from a discussion on their dev mailing list [1,2]:

- ------
Security issues are documented in both our NEWS file (aka ChangeLog) and
announced publically after the fix has been committed. Any other way
would really  be bad for any end-users as we do not want them to be
unaware of outstanding bugs in old releases.

Of course, this is already much, and we"re very sorry about this. But if
you look at the security trackers you will see that many, many
web-applications have had similar bugs in 2005. This seems to be the
year of many people testing XSS.

Look at WordPress, they have had similar problems. But we take our
security problems serious, and for errors that come to our attention we
have provided fixes in less than 12 hours in the past.
- ------

They also have a security section on their blog [3] with an RSS feed I
can subscribe to.

In addition, they maintain a stable branch in their svn tree [4], which
just gets bug & security fixes.  So identifying relevant security
patches should be quite trivial as I can pick them from this branch
rather than trying to find them from within the trunk.


I hope this is somewhat reassuring.

Cheers
Penny



1:
http://sourceforge.net/mailarchive/forum.php?thread_id=7468268&forum_id=31275

2:
http://sourceforge.net/mailarchive/forum.php?thread_id=7473550&forum_id=31275

3: http://blog.s9y.9rg/

4: http://svn.berlios.de/viewcvs/serendipity/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCr1pcGHUSCqMOwisRAniXAJ9bPz4AquLHKK3bF+HNV5IksX4FjQCcCIcQ
JCuYaIGGkvrAq4bHIj23BPE=
=p3ab
-----END PGP SIGNATURE-----

Reply to:

References:
- Bug#312413: ITP: serendipity -- PHP Weblog/Blog software
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#313659: RFP: ktorrent -- ktorrent is a bittorrent client for KDE
Next by Date: Bug#313659: RFP: ktorrent -- ktorrent is a bittorrent client for KDE
Previous by thread: Bug#312413: ITP: serendipity -- PHP Weblog/Blog software
Next by thread: Bug#312490: ITP: exiv2 -- EXIF/IPTC metadata manipulation library and tools
Index(es):
- Date
- Thread