Gentoo Archives: gentoo-web-user

From: wrobel@g.o
To: gentoo-web-user@l.g.o
Subject: [gentoo-web-user] Upstream requirements for web-apps
Date: Wed, 11 Jan 2006 16:33:37
Hi there!

During the last web-apps meeting we decided that we would like to
further discuss the upstream requirements a package needs to fulfill
in order to be added to the portage tree by the web-apps team.

The current proposition is specified here:

In my discussion with Stuart this morning I did realize that there are
not too many packages available that would actually meet these
criteria. So far we probably have around five in the portage tree. 

The main blocker are the security requirements since many projects do
not provide special security contacts or mailing lists devoted
security. For some projects this probably implies that they actually
don't care too much about security.

It is clear that it is not appealing for the web-apps herd to care for
a high number of unsafe packages in the tree especially since
web-applications by their very nature should be much more secure than
many applications only used locally. A high number of security bugs or
a slow response to these will not shine the best light on our distro.

So reliable security information from upstream would help the web-apps
team to react in a prompt and timely fashion when a security issues

On the other hand we would probably be forced to reduce the tree to a
small number of web-apps if we enforce the requirements very
stringently which might not be very appealing to our users.

I also had the impression that one of the packages that has been a
mojor problem last year (phpBB) actually nearly fulfills the current
requirement proposals (at least to a greater extend than many of the
smaller packages) but nonetheless has caused quite an amount of grief.
Having bugs tracker, announcement lists and security mails might not
always cover up for direct experience with the project itself.

So I would suggest that we enforce the current proposal in the all
cases where we do not have a developer in our herd actively using the
package. I think that any dev's of our herd that actively uses a
package is probably a better source of information about the security
of the package than the mailing lists of the project. At least as long
as I assume that we care a lot more about the security of our servers
than the average user. But I believe that's a safe bet.

If there is no dev with an active interest in the package all we have
are the information from upstream. In this case I do believe the
requirements make absolute sense.

My .2 cents :)



Gunnar Wrobel                    Gentoo Developer

Mail: wrobel@g.o
IRC:  #gentoo-web at


Subject Author
Re: [gentoo-web-user] Upstream requirements for web-apps Renat Lumpau <rl03@g.o>