On Wed, Jun 22, 2005 at 11:35:58PM +0100, Phil Endecott wrote: > >Including a > >custom version of ROTE with anyterm would probably cause the package to > >be rejected. > > .. > > >Have you considered forking ROTE > > So do you think that forking a custom version is good or bad? > I think it is bad, but better than trying to include the whole thing inside of anyterm.
> As I said this may become an issue if / when I need to make further changes. > For the time being I am happy with things as they are. I have not had any > feedback from users complaining about the current arangement. There are more > important things on my to-do list than solving this problem. > Understood. > >or asking Bruno to allow you to take a > >more active role (like CVS commit access)? > > So what would I commit? If I wanted a change, I would send him a patch. But > if I submit a patch that causes binary incompatibility, that will cause > problems. (Or, at least, it causes issues that *I* don't properly > understand. > I don't know who is using ROTE and for what.) > OK. I thought the bigger issue was Bruno not having enough time. What you say makes sense. Maybe there is something we can do to see if is willing to commit some more time. > > >* apt-get install gets the files in place, but the module remains > >disabled > >* Document well all potential security issues and provide references for > >external reading (including the anyterm web pages/forums). > > OK, but you need to present a default configuration where users have *no > excuse* for ending up with an insecure system. People will always tend to do > the minimum that is necessary to get something working. > The default will be that the thing will be turned off completely by default. Thus, the user will need to at least manually enable the module and restart apache, and (if you agree) enable it in /etc/defaults. Unfortunately, there is no way to guarantee that they will read the docs prior to using it, but that should present a high enough barrier that newbies shouldn't get blindsided and experienced Apache admins should know better. Tell me if you think I am missing what you are saying. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
pgpHq11Beg6J4.pgp
Description: PGP signature
