Bug 579428 - (w3af) Package Review: w3af - Web Application Attach and Audit Framework
Package Review: w3af - Web Application Attach and Audit Framework
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-04-05 02:09 EDT by Michal Ambroz
Modified: 2010-12-17 12:51 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-17 12:51:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Ambroz 2010-04-05 02:09:20 EDT
Dear members, please could you review this package to check its suitability for the Fedora Project?

The W3AF, is a Web Application Attack and Audit Framework.
The W3AF core and it's plug-ins are fully written in python.
The project has more than 130 plug-ins, which check for SQL injection,
cross site scripting (XSS), local and remote file inclusion and much more.

SPEC Url: http://rebus.webz.cz/d/w3af.spec
SRPM Url: http://rebus.webz.cz/d/w3af-1.0-0.1.rc3.fc12.src.rpm

Best regards 
Michal Ambroz
Comment 1 Josh Bressers 2010-04-05 07:52:28 EDT
While this package has a security relevance, the Security keyword is for security flaws. I'm removing the keyword.

Thanks for adding this, it should prove useful.
Comment 2 Michal Ambroz 2010-04-06 15:03:53 EDT
This will be long run I guess.

Tom "spot" Callaway pointed out that the package as it is could be complicated from the licensing point of view. 
GPLv2 is incompatible with GPLv3. 

Any help with review/comments/suggestions/packing dependencies are welcome.
Comment 3 Till Maas 2010-06-30 10:15:56 EDT
Some issues I found at first sight:

1) the manpage does not need to be gziped manually, this is done automatically by rpm
2) The complex License tag should have a comment explaining why it is that complicated
3) for the locales find-lang.sh should be used (see package guidelines)
4) the correct SF.net download URL is downloads.sourceforge.net/%{name}/%{name}-1.0-rc3.tar.bz2 iirc (see Source guidelines)
5) The patches need comments explaining why they are not upstreamable or if they are, what there upstream status is e.g. a pointer to the upstream tracker with the patch would be good. And please add a date to these comments

If you need detailed URLs to the mentioned guidelines, please ask and I will provide them.

And please provide links to unofficial reviews you performed, if you did some.
Comment 4 Jason Tibbitts 2010-11-17 08:38:45 EST
Were the licensing issues ever clarified?

Any response to Till's commentary above?  At this point few people will spend time looking at this ticket if you don't respond to existing commentary.

Note You need to log in before you can comment on or make changes to this bug.