Bug 191968

Summary: Review Request: phpBB - A php Bulletin Board
Product: [Fedora] Fedora Reporter: Mike McGrath <imlinux>
Component: Package ReviewAssignee: Thorsten Leemhuis (ignored mailbox) <bugzilla-sink>
Status: CLOSED NOTABUG QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: peter, tibbs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-07 09:25:12 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 201449    

Description Mike McGrath 2006-05-16 12:31:02 EDT
Spec: http://mmcgrath.net/~mmcgrath/phpBB/phpBB.spec
SRPM: http://mmcgrath.net/~mmcgrath/phpBB/phpBB-2.0.20-1.src.rpm
Description: 

phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
database servers, phpBB is the ideal free community solution for all web sites.
Comment 1 Paul Howarth 2006-05-16 12:45:18 EDT
See also Bug #188410 for discussion on this application.
Comment 2 Jason Tibbitts 2006-05-16 12:46:57 EDT
Do you have any comment on the issues raised in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188410 ?
Comment 3 Mike McGrath 2006-05-16 13:36:49 EDT
I thought I saw this before.  I can't find anything in bugzilla I swear....

Anyway, if it's the general will of Extras to keep this out then I'll close this
like the last one.  I don't think there's strong enough arguements on either
side that says this absolutely should or shouldn't be in extras.  My take on it
is that if Fedora users want to use it, it would be nice if they used extras
where it will always be updated.  That's the nice thing about yum and our
package management system.  They don't have to keep tabs on what phpBB is doing
or if a new version has come out in order to have an up to date system.  They
only have to run "yum update"
Comment 4 Peter Gordon 2006-05-16 14:14:30 EDT
Mike,

I think that the main reason people do not like phpBB is its security track
record (well, the lack thereof at least...)

However, there is a point in which the packager simply must trust that upstream
is doing their job to keep things updated and patched. Generally, the phpBB
people are good about quickly putting out security fixes for their software; and
I think having multiple maintainers for such a package would make it so that we
could keep the software in Extras patched and updated very quickly after such a
fix is put out from upstream. In this way, users would not need to worry about
their server's security due to this application. 

If the community wants phpBB to be put into Extras, would having a couple (or
more) comaintainers to keep it updated and fixed ease their worries a bit? If
this is the case, I would be happy to help Mike (and others?) maintain phpBB in
Extras. (I submitted bug #188410.) 

However, I think it would be best if the code went through at least a brief
security audit before being putting in Extras. There is a point where upstream
simply needs to be trusted; but with phpBB's upstream, I do not think it wise to
have that trust quite so blindly. Would this be feasible?
Comment 5 Mike McGrath 2006-05-16 14:33:09 EDT
Sounds good to me.  I'll be the first to admit that phpBB has done a lot of harm
on the net, but I don't think that it means we shouldn't package it.  Lots of
people use it (including myself).  

Is there a way to have multiple maintainers get notified when a bug gets
submitted?  As long as the contributors in question make sure to assign the bug
to themselves when they start working on it I don't think people would step on
eachothers toes much.
Comment 6 Peter Gordon 2006-05-16 14:36:47 EDT
(In reply to comment #5)
> Is there a way to have multiple maintainers get notified when a bug gets
> submitted?  As long as the contributors in question make sure to assign the bug
> to themselves when they start working on it I don't think people would step on
> eachothers toes much.

I don't know for certain, but would adding both of our email address in the
owners.list with a comma separating the two (if we import this) be adequate?
Comment 7 Jason Tibbitts 2006-05-16 14:42:21 EDT
Damn mid-air collisions.....

I don't really understand why Peter gave up on the original review request;
phpBB is commonly used and I fully agree with Mike that having automated updates
coming from a trusted source should be far better for overall security than
requiring every single admin to watch for updates and manually apply them.

I do think that this should be blocked until the current minor issues open on
2.0.20 are closed.  (There's a full path disclosure and I think one other issue
that I can't recall at the moment.)

My real concern is for the feasibility of doing automated upgrades.  I look
after a small phpBB setup and while the procedure for me is simple because I
don't run any mods, it's never as simple as just replacing the files.  How is
that going to be handled by the package?  If we're going to put this into
extras, we can't be afraid to push updates quickly and admins need to trust that
those updates will work (else they'll just not update the package at all).
Comment 8 Mike McGrath 2006-05-16 15:00:48 EDT
This may be a bit drastic but if there's a severe vulnerability out, could we
have our update disable phpBB with a "Make sure to read the docs for this
upgrade" type message.
Comment 9 Jason Tibbitts 2006-05-16 15:09:43 EDT
I don't think that's wise; I can't think of any other instance of a package
doing that.

One additional thought is that we can get the big heads together and figure out
the proper selinux policies to contain the impact of potential vulnerabilities.
 (Or is that even reasonable?  I'm no selinux expert, but I try not to turn it
off at the first sign of trouble.)
Comment 10 Ville Skyttä 2006-05-16 15:42:14 EDT
I don't think adding multiple initial owners in owners.list works, but one can
be added there and the rest to initialcclist.
Comment 11 Peter Gordon 2006-05-16 17:10:50 EDT
Jason: I "gave up" originally because it seemed that it would be better to wait
until we could have multiple maintainers for it (at least) so that any security
issues could be fixed quickly. 

With respect to modifications made by the user, I think that it therefore
becomes his or her perogative to keep the phpBB install updated. I see this
issue as similar to that of other packages: the user is free to modify it from
its original packaging, but only that packaging is supported from the people who
maintain it (be it one or more of Red Hat's engineers or others who maintain
Extras stuff).

If there is an update script or similar that needs to be run, could we
potentially automate this enough to put it into the %post section ok?
Comment 12 Peter Gordon 2006-05-16 17:15:58 EDT
(In reply to comment #10)
> I don't think adding multiple initial owners in owners.list works, but one can
> be added there and the rest to initialcclist.

We'll have to do that then if it's imported. Thanks, Ville.

Comment 13 Mike McGrath 2006-11-07 09:25:12 EST
Sorry guys, I am conflicted about this particular package and since I don't use
it any more I'm closing it so someone else can take it up if they need to.  This
will be the second time this package hasn't made it into extras.