---------- Forwarded message ---------- From: Emilien Klein <emilien+deb...@klein.st> Date: 2014-12-31 21:52 GMT-05:00 Subject: Re: poor code quality in shaarli package, remove from Debian? To: Paul Wise <p...@debian.org> Cc : Debian Security <secur...@debian.org>, Georges Khaznadar <georg...@debian.org>, Julien Voisin <julien.voi...@dustri.org>, nodiscc <nodi...@gmail.com>
Adding nodiscc in CC, the main pusher of the community fork. 2014-12-31 21:20 GMT-05:00 Paul Wise <p...@debian.org>: > Hi folks, > > I was discussing the CVE issued for the shaarli package with the person > who found the issues (Julien, CCed) Can you link to that CVE? I will reported this upstream (github) to make the original upstream developer and the community fork developers aware of it. > and came to the conclusion that the > code is terrible, upstream maintenance has stopped and the package > should be removed from Debian entirely. Here is our IRC log: > > <jvoisin> I'm quite sure that no one should use shaarli anyway. It's not > maintained, and the code is awful :/ > <pabs> do you think it should be removed from Debian? > <jvoisin> https://github.com/sebsauvage/Shaarli/ Last commit one year ago, > almost 100 issues, … > <jvoisin> I think so, yes > <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302 > <pabs> seems reasonably well maintained in Debian, so I would suggest filing > a bug on the package itself about this > <jvoisin> This is not even remotely funny. > <pabs> it seems pointless but what would the downside be? > <jvoisin> This is predictable > <jvoisin> and > https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like > an arbitrary redirect to me > <jvoisin> Anyway, I don't care that much about this 2500LoC PHP script > <pabs> there are several more instances of this in the code > <jvoisin> yup The version currently packaged in Debian is from the [hopefully temporary] community fork [0], due to the inactivity on the side of the original developer. [0] https://github.com/shaarli/Shaarli We are working with the original developer to get things moving again [1], but he has indicated that he doesn't expect to be able to merge the community fork before spring. [1] https://github.com/sebsauvage/Shaarli/issues/191#issuecomment-68188141 The last "officially" released version is 0.0.41beta (don't ask about the versioning scheme... community fork going to 1.0 soon), the version in Debian called 0.0.42beta is the state as represented in HEAD of the official repo, but the fork is already almost 70 commits further, fixing bugs, merging pull requests made towards upstream. There is activity, as the users of Shaarli do demand that. Hence my original effort to package that in Debian. Since a large number of changes were made around/after the Jessie freeze, I am currently waiting for Jessie to be released to push for the release of a new community version, and package that in Debian. I would much rather have shaarli removed from Jessie for now, but kept in unstable/testing so that we can include the latest fixes from the community fork, and include a fix for the mentioned CVE. Is that an acceptable solution, security-wise? +Emilien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
