Hi Jan, Jan Wagner schrieb: > Hi Ralf, > > one of the main problem for packaging egroupware (not exclusive relevant for > debian) is the huge amount of embedded code copies[1] (search for > 'egroupware'). This was the reason to not include egroupware into sarge and > is > the actual reason for removing from testing. If there pops up a security > problem for any embedded code copy, the (egroupware) package needs fixed in > any way. The ideal solution would be to get rid of the embeddde code copies > in > the egroupware debian package and use the debian package of the embedded code > copy. For example with phpmailer, just the phpmailer package needs to be > fixed > and egroupware is not vuln anymore. > The actual problem is, to fix the problem in the egroupware package too, > which > is a big security mess.
Unfortunately the problem is more complex. Here are a few reasons why code it embed into EGroupware instead of using external libraries: - upstream did not accepted patches necessary for bugfixes or enhancements (eg. CalDAV support via HTTP_WebDAV_Server) - missing time and resources to communicate and negotiate with upstream to accept required modifications - not creating more dependencies for inexperienced users mostly using zip archives under windows (I know that matters not for Debian, but it's important for our user base). So far we only have dependencies in either PHP extensions or PEAR packages (for the EGroupware core). - sharing authentication and sessions with other external applications, can usually not be archived with just a parallel installation. Even if the software is untouched (as for example Gallery2) we need to provide configuration files (fetching their data from EGroupware) within their code trees - other stuff like eg. FCKeditor requires to create and/or configure a serverside backend I know most of the above can be solved, if we look only on Debian and EGroupware developers had more resources to spend in that area. Looking at the exploits of the last years - the majority was caused by embed code - most were fixed within days of coming to my knowledge. That process of cause only starts, after the upstream projects published. > So if you could take this code copy issue into account, the conditions for > egroupware in debian would benefit a lot. > > Thanks and with kind regards, Jan. > [1] > http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file This list is not up to date. It lists all problems as unfixed, which is not the case: the exploits in these embedded packages are either: - fixed in the most current EGroupware packages or - can not be executed in EGroupware (eg. we use only SMTP in phpMailer) Independent of how EGroupware is maintained in Debian in future, I'm happy to work closer together with Debian Security Team, to get earlier information about exploits in embedded code and coordinate security fixes. If I'm going to maintain EGroupware in Debian, everyone can expect same-time releases of Debian packages (to experimental), as the other rpm packages or archives of EGroupware. I will of cause very like try to handle at least the Linux packages of EGroupware as close as possible together - thought in the past mostly rpm packages benefit from the already nice Debian packages. I made now many fixes and enhancements to our commercial Debian packages, which I plan to integrate (or report back) to Debian. Anyway most important for me is that EGroupware stays in Debian. I'm happy if we (EGroupware project) have a competent and timely available Debian maintainer, as we had in the past with Peter. Ralf -- Ralf Becker Director Software Development Stylite GmbH [open style of IT] Morschheimer Strasse 15 67292 Kirchheimbolanden fon +49 (0) 6352 70629-0 fax +49 (0) 6352 70629-30 mailto: r...@stylite.de www.stylite.de www.egroupware.org ________________________________________________ Geschäftsführer Andre Keller, Gudrun Müller, Nigel Vickers und Ralf Becker Registergericht Kaiserslautern HRB 30575 Umsatzsteuer-Id / VAT-Id: DE214280951 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
