Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Review Request: phpBB - A php Bulletin Board|
|Product:||[Fedora] Fedora||Reporter:||Mike McGrath <imlinux>|
|Component:||Package Review||Assignee:||Thorsten Leemhuis (ignored mailbox) <bugzilla-sink>|
|Status:||CLOSED NOTABUG||QA Contact:||Fedora Package Reviews List <fedora-package-review>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-11-07 09:25:12 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Mike McGrath 2006-05-16 12:31:02 EDT
Spec: http://mmcgrath.net/~mmcgrath/phpBB/phpBB.spec SRPM: http://mmcgrath.net/~mmcgrath/phpBB/phpBB-2.0.20-1.src.rpm Description: phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.
Comment 1 Paul Howarth 2006-05-16 12:45:18 EDT
See also Bug #188410 for discussion on this application.
Comment 2 Jason Tibbitts 2006-05-16 12:46:57 EDT
Do you have any comment on the issues raised in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188410 ?
Comment 3 Mike McGrath 2006-05-16 13:36:49 EDT
I thought I saw this before. I can't find anything in bugzilla I swear.... Anyway, if it's the general will of Extras to keep this out then I'll close this like the last one. I don't think there's strong enough arguements on either side that says this absolutely should or shouldn't be in extras. My take on it is that if Fedora users want to use it, it would be nice if they used extras where it will always be updated. That's the nice thing about yum and our package management system. They don't have to keep tabs on what phpBB is doing or if a new version has come out in order to have an up to date system. They only have to run "yum update"
Comment 4 Peter Gordon 2006-05-16 14:14:30 EDT
Mike, I think that the main reason people do not like phpBB is its security track record (well, the lack thereof at least...) However, there is a point in which the packager simply must trust that upstream is doing their job to keep things updated and patched. Generally, the phpBB people are good about quickly putting out security fixes for their software; and I think having multiple maintainers for such a package would make it so that we could keep the software in Extras patched and updated very quickly after such a fix is put out from upstream. In this way, users would not need to worry about their server's security due to this application. If the community wants phpBB to be put into Extras, would having a couple (or more) comaintainers to keep it updated and fixed ease their worries a bit? If this is the case, I would be happy to help Mike (and others?) maintain phpBB in Extras. (I submitted bug #188410.) However, I think it would be best if the code went through at least a brief security audit before being putting in Extras. There is a point where upstream simply needs to be trusted; but with phpBB's upstream, I do not think it wise to have that trust quite so blindly. Would this be feasible?
Comment 5 Mike McGrath 2006-05-16 14:33:09 EDT
Sounds good to me. I'll be the first to admit that phpBB has done a lot of harm on the net, but I don't think that it means we shouldn't package it. Lots of people use it (including myself). Is there a way to have multiple maintainers get notified when a bug gets submitted? As long as the contributors in question make sure to assign the bug to themselves when they start working on it I don't think people would step on eachothers toes much.
Comment 6 Peter Gordon 2006-05-16 14:36:47 EDT
(In reply to comment #5) > Is there a way to have multiple maintainers get notified when a bug gets > submitted? As long as the contributors in question make sure to assign the bug > to themselves when they start working on it I don't think people would step on > eachothers toes much. I don't know for certain, but would adding both of our email address in the owners.list with a comma separating the two (if we import this) be adequate?
Comment 7 Jason Tibbitts 2006-05-16 14:42:21 EDT
Damn mid-air collisions..... I don't really understand why Peter gave up on the original review request; phpBB is commonly used and I fully agree with Mike that having automated updates coming from a trusted source should be far better for overall security than requiring every single admin to watch for updates and manually apply them. I do think that this should be blocked until the current minor issues open on 2.0.20 are closed. (There's a full path disclosure and I think one other issue that I can't recall at the moment.) My real concern is for the feasibility of doing automated upgrades. I look after a small phpBB setup and while the procedure for me is simple because I don't run any mods, it's never as simple as just replacing the files. How is that going to be handled by the package? If we're going to put this into extras, we can't be afraid to push updates quickly and admins need to trust that those updates will work (else they'll just not update the package at all).
Comment 8 Mike McGrath 2006-05-16 15:00:48 EDT
This may be a bit drastic but if there's a severe vulnerability out, could we have our update disable phpBB with a "Make sure to read the docs for this upgrade" type message.
Comment 9 Jason Tibbitts 2006-05-16 15:09:43 EDT
I don't think that's wise; I can't think of any other instance of a package doing that. One additional thought is that we can get the big heads together and figure out the proper selinux policies to contain the impact of potential vulnerabilities. (Or is that even reasonable? I'm no selinux expert, but I try not to turn it off at the first sign of trouble.)
Comment 10 Ville Skyttä 2006-05-16 15:42:14 EDT
I don't think adding multiple initial owners in owners.list works, but one can be added there and the rest to initialcclist.
Comment 11 Peter Gordon 2006-05-16 17:10:50 EDT
Jason: I "gave up" originally because it seemed that it would be better to wait until we could have multiple maintainers for it (at least) so that any security issues could be fixed quickly. With respect to modifications made by the user, I think that it therefore becomes his or her perogative to keep the phpBB install updated. I see this issue as similar to that of other packages: the user is free to modify it from its original packaging, but only that packaging is supported from the people who maintain it (be it one or more of Red Hat's engineers or others who maintain Extras stuff). If there is an update script or similar that needs to be run, could we potentially automate this enough to put it into the %post section ok?
Comment 12 Peter Gordon 2006-05-16 17:15:58 EDT
(In reply to comment #10) > I don't think adding multiple initial owners in owners.list works, but one can > be added there and the rest to initialcclist. We'll have to do that then if it's imported. Thanks, Ville.
Comment 13 Mike McGrath 2006-11-07 09:25:12 EST
Sorry guys, I am conflicted about this particular package and since I don't use it any more I'm closing it so someone else can take it up if they need to. This will be the second time this package hasn't made it into extras.