Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website

To: Scott Kitterman <debian@kitterman.com>, 625865@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
From: Chris Warburton <chriswarbo@googlemail.com>
Date: Fri, 06 May 2011 16:56:09 +0100
Message-id: <[🔎] 1304697369.20621.51.camel@linuxfedora>
Reply-to: Chris Warburton <chriswarbo@googlemail.com>, 625865@bugs.debian.org
In-reply-to: <[🔎] 201105061129.34693.debian@kitterman.com>
References: <[🔎] 20110506125621.24012.17736.reportbug@linuxfedora> <[🔎] 201105060911.09204.debian@kitterman.com> <[🔎] 1304695430.20397.10.camel@debian.tauspace.local> <[🔎] 201105061129.34693.debian@kitterman.com>

On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote:
> On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote:
> > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote:
> > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote:
> > > >   Programming Lang: PHP
> > > >   Description     : ocPortal is a Content Management System for
> > > >   building
> > > > 
> > > > and maintaining a dynamic website
> > > 
> > > How many content management systems written in php does Debian need?
> > 
> > It's not kool that you didn't even ask about how good it is. Maybe it's
> > better than whatever exists in Debian currently, have you checked? My
> > point is your question isn't helpful. It smacks of flaming.
> 
> The question I should have asked is what is it's security record like.  This 
> is an area that's rife with applications that have 'poor' security records.  
> Adding more to that pile would be an unfortunate burden on the security team.  
> That's probably the most significant of the project wide costs adding a package 
> like this brings with it.
> 
> Scott K

Hi Scott. ocPortal isn't massively widespread compared to other systems,
so there's obviously less experimental proof of security. We had a
security hole a few years ago; this was before I got involved, but
there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms

Official ocPortal releases are managed by ocProducts, a company set up
around ocPortal (and who pay my salary), and we have a clear security
policy which can be found here
http://ocportal.com/site/maintenance.htm .

We also regularly run static code analysis tools on the codebase and we
test every release with a hacked PHP runtime that 1) triggers errors if
strings are not explicitly sanitised before going through eval, getting
echoed to a browser or being entered into a database, and 2) enforces a
type system on variables and function calls (based on type signatures
written into the PHPdoc of every function), and raises an error if there
is a type mismatch. I actually run this hacked PHP on my system in place
of the distro's own.

If there are specific security concerns I'd be happy to address them.

Thanks,
Chris Warburton

Reply to:

Follow-Ups:
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Asheesh Laroia <asheesh@asheesh.org>

References:
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Chris Warburton <chriswarbo@googlemail.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Scott Kitterman <debian@kitterman.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Tshepang Lekhonkhobe <tshepang@gmail.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Bug#598968: RFP: bsnes -- The most accurate SNES/SuperFamicom emulator
Next by Date: Processed: ITA: jzip -- Text mode interpreter for Z-Code adventures
Previous by thread: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Next by thread: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Index(es):
- Date
- Thread