Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website

To: Chris Warburton <chriswarbo@googlemail.com>
Cc: Scott Kitterman <debian@kitterman.com>, 625865@bugs.debian.org, debian-devel@lists.debian.org
Subject: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 6 May 2011 18:11:21 -0300
Message-id: <[🔎] 20110506211121.GB7641@khazad-dum.debian.net>
Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 625865@bugs.debian.org
In-reply-to: <[🔎] 1304697369.20621.51.camel@linuxfedora>
References: <[🔎] 20110506125621.24012.17736.reportbug@linuxfedora> <[🔎] 201105060911.09204.debian@kitterman.com> <[🔎] 1304695430.20397.10.camel@debian.tauspace.local> <[🔎] 201105061129.34693.debian@kitterman.com> <[🔎] 1304697369.20621.51.camel@linuxfedora>

On Fri, 06 May 2011, Chris Warburton wrote:
> Hi Scott. ocPortal isn't massively widespread compared to other systems,
> so there's obviously less experimental proof of security. We had a
> security hole a few years ago; this was before I got involved, but
> there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms
> 
> Official ocPortal releases are managed by ocProducts, a company set up
> around ocPortal (and who pay my salary), and we have a clear security
> policy which can be found here
> http://ocportal.com/site/maintenance.htm .
> 
> We also regularly run static code analysis tools on the codebase and we
> test every release with a hacked PHP runtime that 1) triggers errors if
> strings are not explicitly sanitised before going through eval, getting
> echoed to a browser or being entered into a database, and 2) enforces a
> type system on variables and function calls (based on type signatures
> written into the PHPdoc of every function), and raises an error if there
> is a type mismatch. I actually run this hacked PHP on my system in place
> of the distro's own.
> 
> If there are specific security concerns I'd be happy to address them.

This is a better security policy than most PHP packages we have in the
archive.

That alone is grounds enough to allow ocportal in IMO.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Chris Warburton <chriswarbo@googlemail.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Scott Kitterman <debian@kitterman.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Tshepang Lekhonkhobe <tshepang@gmail.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Scott Kitterman <debian@kitterman.com>
- Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
  - From: Chris Warburton <chriswarbo@googlemail.com>

Prev by Date: Bug#625887: RFP: upskirt -- robust and fast Markdown filter
Next by Date: Bug#625737: [Pkg-fonts-devel] Bug#625737: ITP: fonts-ricty -- High quality japanse fonts based on Inconsolata and Migu 1M
Previous by thread: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Next by thread: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website
Index(es):
- Date
- Thread