Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-web-user
Navigation:
Lists: gentoo-web-user: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-web-user@g.o
From: wrobel@g.o
Subject: Upstream requirements for web-apps
Date: Wed, 11 Jan 2006 16:59:56 +0100
Hi there!

During the last web-apps meeting we decided that we would like to
further discuss the upstream requirements a package needs to fulfill
in order to be added to the portage tree by the web-apps team.

The current proposition is specified here:

http://svn.gnqs.org/projects/gentoo-webapps-overlay/wiki/UpstreamRequirements

In my discussion with Stuart this morning I did realize that there are
not too many packages available that would actually meet these
criteria. So far we probably have around five in the portage tree. 

The main blocker are the security requirements since many projects do
not provide special security contacts or mailing lists devoted
security. For some projects this probably implies that they actually
don't care too much about security.

It is clear that it is not appealing for the web-apps herd to care for
a high number of unsafe packages in the tree especially since
web-applications by their very nature should be much more secure than
many applications only used locally. A high number of security bugs or
a slow response to these will not shine the best light on our distro.

So reliable security information from upstream would help the web-apps
team to react in a prompt and timely fashion when a security issues
arises.

On the other hand we would probably be forced to reduce the tree to a
small number of web-apps if we enforce the requirements very
stringently which might not be very appealing to our users.

I also had the impression that one of the packages that has been a
mojor problem last year (phpBB) actually nearly fulfills the current
requirement proposals (at least to a greater extend than many of the
smaller packages) but nonetheless has caused quite an amount of grief.
Having bugs tracker, announcement lists and security mails might not
always cover up for direct experience with the project itself.

So I would suggest that we enforce the current proposal in the all
cases where we do not have a developer in our herd actively using the
package. I think that any dev's of our herd that actively uses a
package is probably a better source of information about the security
of the package than the mailing lists of the project. At least as long
as I assume that we care a lot more about the security of our servers
than the average user. But I believe that's a safe bet.

If there is no dev with an active interest in the package all we have
are the information from upstream. In this case I do believe the
requirements make absolute sense.

My .2 cents :)

Cheers

Gunnar


-- 
Gunnar Wrobel                    Gentoo Developer
__________________C_o_n_t_a_c_t__________________

Mail: wrobel@g.o
WWW:  http://www.gunnarwrobel.de
IRC:  #gentoo-web at freenode.org
_________________________________________________
Attachment:
pgpVwyMdMb6Rv.pgp (PGP signature)
Replies:
Re: Upstream requirements for web-apps
-- Renat Lumpau
Navigation:
Lists: gentoo-web-user: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Unsubscribing
Next by thread:
Re: Upstream requirements for web-apps
Previous by date:
Unsubscribing
Next by date:
Re: Upstream requirements for web-apps


Updated Jun 17, 2009

Summary: Archive of the gentoo-web-user mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.