Bug 1000267

Summary: wordpress contains bundled Flash and Silverlight files
Product: [Fedora] Fedora Reporter: T.C. Hollingsworth <tchollingsworth>
Component: wordpressAssignee: Remi Collet <fedora>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, fedora, gwync, ignatenko, mcepl, mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: wordpress-3.6-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-14 19:04:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1000236, 991791    

Description T.C. Hollingsworth 2013-08-23 04:44:31 UTC 
This package contains binary files that are typically excuted by the Flash
player or another similar program.

These files are not permitted in Fedora. [1]  Everything we produce needs to
be built from source. [2]

The offending file(s) shipped in this package are:
/usr/share/wordpress/wp-includes/js/plupload/plupload.flash.swf
/usr/share/wordpress/wp-includes/js/plupload/plupload.silverlight.xap
/usr/share/wordpress/wp-includes/js/swfupload/swfupload.swf
/usr/share/wordpress/wp-includes/js/tinymce/plugins/media/moxieplayer.swf

If these files are just a fallback for something that is now supported by modern
web standards like the HTML5 <video> element, please just remove the binaries.

If removing these files would seriously cripple your application, please let me
know so we can figure out a solution.

If you have any questions, please shout.  Thanks!

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries
[2] https://lists.fedoraproject.org/pipermail/devel/2013-August/187836.html
Comment 1 Adam Williamson 2013-08-23 08:05:29 UTC 
When it's done, http://koji.fedoraproject.org/koji/taskinfo?taskID=5844538 will be a scratch build of Wordpress 3.6 with the simplest possible approach to this: swfupload is ripped out bodily (with a patch to remove its hooks from script-loader.php), and the other files are wiped with no other changes made. Note that wordpress 3.6 adds a couple *more*, as it adds 'wp-includes/js/mediaelement' as a media player...thingy...which is supposed to present a 'consistent experience' across multiple browsers and media formats by using a Flash or Silverlight player that looks like an HTML5 player when pure HTML5 won't work to play a given format on a given browser.

I'm hoping that plupload and mediaelement will cope intelligently with the plugins not being present and do something sensible instead of falling over; it's rather difficult to tell from the 'source code' since the 'source code' for both is a cryptic set of unreadable minified javascript. plupload should be able to simply fall back to its HTML 4 uploader if the SWF and Silverlight ones aren't there, but there's going to be stuff mediaelement just can't do without the plugins, like serve h.264 to Firefox. I'm not sure why tinymce saw fit to include its own bloody media player yet, but we'd better test whatever it's doing with that too.

I have not tested this at all yet; I'm throwing the scratch build up in case others wish to do so as well as me. (I'm going to bed after this and test it in the morning). You'll need to configure file uploading and try embedding some media in a post with the new [video] and [audio] short tags to test these changes, I think. Christ knows how to test the tinymce one.
Comment 2 Adam Williamson 2013-08-23 23:15:22 UTC 
OK, I think I've now got a build that smoothly handles all the removals. I'm sending it through to 'stable' for Rawhide and F20 and testing for all other releases.
Comment 3 Fedora Update System 2013-08-24 00:23:28 UTC 
wordpress-3.6-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/wordpress-3.6-1.fc19
Comment 4 Fedora Update System 2013-08-24 00:23:37 UTC 
wordpress-3.6-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/wordpress-3.6-1.fc18
Comment 5 Fedora Update System 2013-08-24 00:23:47 UTC 
wordpress-3.6-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/wordpress-3.6-1.el6
Comment 6 Fedora Update System 2013-08-24 18:40:12 UTC 
Package wordpress-3.6-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing wordpress-3.6-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11325/wordpress-3.6-1.el6
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-09-14 19:04:26 UTC 
wordpress-3.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-09-15 00:51:02 UTC 
wordpress-3.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-09-15 00:52:05 UTC 
wordpress-3.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.