[Ampache updated] packages that use deprecated SQL escape functions
On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote: > Hi everyone > > We had a few issues in the past with insufficient database escaping, which > lead > to possible SQL injections due to the use of the deprecated functions > mysql_escape_string() and PQescapeString(). > These functions do not take the encoding of the established connection into > account, which can lead to insufficient escaping, if the encoding of this > connection can be set to certain multibyte character encodings (such as GBK). > I found the explanation given in this email[0] quite useful to elaborate on > the thread. > > In order to prevent this issue, the new functions mysql_real_escape_string() > [1] and PQescapeStringConn()[2] have been added, which honour the specific > encoding of the connection. > [snip] > > ampache: Charlie Smotherman > > ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: > $filenam2 > = mysql_escape_string($filename); > ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$res2 = > mysql_escape_string(serialize($result)); > Steffen, Thanks for the mail. I have patched ampache to use mysql_real_escape_string(). I would appreciate it if someone would sponsor this fix. http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc Thank you Charlie Smotherman signature.asc Description: This is a digitally signed message part
Re: Proposed mass prototypejs bug filing for multiple security issues
On Sun, 2009-10-18 at 20:43 -0400, Michael S Gilbert wrote: > Hi, > > The prototypejs script has been found to be vulnerable to a couple > security issues [0],[1]. This script is embedded in about 32 other > packages and I would like to file bugs against all of those that are > affected. Since this would probably be considered a mass filing, I am > running it past -devel first. > > - ampache 3.4.1-2 (embed) Not shipped in the resulting binary package. See Depends:, Charlie signature.asc Description: This is a digitally signed message part
RFH: How to compile swf files from source
Hello all, In my package ampache it ships xspf_jukebox.fla and xspf_jukebox.swf and I recently received bug #591202 which states: "ampache ships a swf file but does not build it from source." I am curious to know which part of Debian Policy states that this is required? I have search but was unable to find anything. If the source code accompanies the precompiled file how does that make the package non compliant with DFSG? (bug #591196) Are there debian tools available to do this? If so what are they? It seems I am not the only one having this problem #591199, #591383. Any help in this matter would be greatly appreciated. Charlie Smotherman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1280958574.29450.39.ca...@debian
RFH: How to compile swf files from source
Hello all, In my package ampache it ships xspf_jukebox.fla and xspf_jukebox.swf and I recently received bug #591202 which states: "ampache ships a swf file but does not build it from source." I am curious to know which part of Debian Policy states that this is required? I have search but was unable to find anything. If the source code accompanies the precompiled file how does that make the package non compliant with DFSG? (bug #591196) Are there debian tools available to do this? If so what are they? It seems I am not the only one having this problem #591199, #591383. Any help in this matter would be greatly appreciated. Charlie Smotherman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1280958365.29450.37.ca...@debian
Re: RFH: How to compile swf files from source
On Wed, 2010-08-04 at 16:59 -0500, Peter Samuelson wrote: > [Charlie Smotherman] > > "ampache ships a swf file but does not build it from source." > > > > I am curious to know which part of Debian Policy states that this is > > required? I have search but was unable to find anything. > > It is the principle. If I am an end user, and I want to modify your > .swf file on my Debian system, how do I do it? What do I edit? Do I > need to go through a separate step to obtain a usable .swf with my > modifications in it? > > Source code is a means to an end. The end is the ability of the end > user to customize the software. If you get source code but no way to > build a new .swf file from it, this end is not served. > > (Although Debian doesn't strictly subscribe to the FSF's "Four > Freedoms" (http://www.gnu.org/philosophy/free-sw.html), I think the > FSF's explanation of "freedom 1" is pretty good.) > If I interpret your above statement correctly, there is no policy that states that this is required. Is that a fair statement? If there is nothing in policy to support bug #519202, how can it be considered valid? I'm not trying to start a flame war or anything I'm just trying to understand how a bug can be filed against my package and be considered a serious violation of policy when there is nothing in the policy manual stating such. Charlie -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1280965190.30107.48.ca...@debian
Re: Are binary packages required to be built from the corresponding source files? (was: RFH: How to compile swf files from source)
On Thu, 2010-08-05 at 10:48 +1000, Ben Finney wrote: > Charlie Smotherman writes: > > > "ampache ships a swf file but does not build it from source." > > > > I am curious to know which part of Debian Policy states that this is > > required? I have search but was unable to find anything. > > I would interpret it as follows: > > Policy §2.2.1 states “Every package in _main_ must comply with the DFSG > (Debian Free Software Guidelines).” > > To comply with DFSG §2, the source package must include the binary > package's corresponding source code. > > To comply with DFSG §3, the package must allow the recipient to make > modifications and build a package suitable for redistribution. > > Policy §2.2.1 further states “In addition, the packages in _main_ […] > must not require a package outside of _main_ for compilation or > execution […]”. > > Perhaps that could be interpreted in a way that permits the package > build process to ignore the recipient's changes to the source file and > continue to supply the pre-compiled binary, but that interpretation > seems like a perverse one. > > If the package build process doesn't use the source, as modified by the > recipient, then it's disingenuous to claim that DFSG §3 is being met. > Perhaps the letter is followed, but I would maintain that its intent is > not. > > Perhaps I misunderstand the intent, though. It's happened before :-) Ben, Thanks for you insight, I found it informative and educational. Charlie -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1280971778.30943.2.ca...@debian
Re: Non-recompilable binaries in source and binary packages (Adobe Flash strikes again)
On Thu, 2010-08-12 at 20:31 +0200, Tanguy Ortolo wrote: > Le jeudi 12 août 2010, Ian Jackson a écrit : > > The current approach of the project in these cases seems to be that > > the right thing to do is to rebuild the source package so that the > > non-free pieces are removed. > > Non-free? According to the DFSG, are not they free? I cannot see any > point of the DFSG that such a program, distributed both in source and > compiled form, with a free license, compilable only with non-free tools, > would infringe. > > I thought they were only failing one policy condition to be in the free > area, but not the DFSG. As the policy section 2.2.2 says: > > Every package in contrib must comply with the DFSG. > > So if such a non-recompilable, free-licensed binary fails the DFSG, it > should not even go to contrib, but to non-free! > Tanguy You may want to look at this thread http://lists.debian.org/debian-devel/2010/08/msg00082.html Best regards Charlie -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1281639570.2772.27.ca...@debian
Bug#647913: O: boa-constructor -- RAD tool for Python and wxWindows application
Package: wnpp Severity: normal I no longer use boa-constructor and I am not interested in maintaining it anymore. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2007092522.6948.32760.reportbug@eagle
