Question about web applications

David Nalley david at gnsa.us
Thu Jun 4 11:41:29 UTC 2009 

On Thu, Jun 4, 2009 at 7:33 AM, Paulo Cavalcanti <promac at gmail.com> wrote:
>
>
> On Thu, Jun 4, 2009 at 8:00 AM, David Nalley <david at gnsa.us> wrote:
>>
>> On Thu, Jun 4, 2009 at 6:23 AM, Paulo Cavalcanti <promac at gmail.com> wrote:
>> > Hi,
>> >
>> > I submitted ampache (http://ampache.org/) for review, but I was told
>> > that it
>> > could not use any external software
>> > bundled in the code. In fact, it uses getid3, a file that seems to come
>> > from
>> > horde (horde/Browser.php),
>> > and some others.
>> >
>> > According to the weekpedia (http://en.wikipedia.org/wiki/Ampache)
>> >
>> > "Ampache has been featured in numerous online blogs and technical
>> > articles.
>> > One of the more notable was the O'Reilly book Spidering Hacks which
>> > tested
>> > the security of online applications. Ampache was found to be immune to
>> > standard spidering hacks as described in the O'Reilly article, and it
>> > has
>> > continued that trend by focusing on security during its development. The
>> > Code Philosophy listed on Ampache's wiki specifically lists security as
>> > one
>> > of those most important considerations during application development."
>> >
>> > Does it make any sense to fiddle something that has always had security
>> > as a
>> > prime concern?
>> >
>> > Any comment is welcome.
>> >
>> > Thanks.
>> >
>> > --
>> > Paulo Roma Cavalcanti
>> > LCG - UFRJ
>> >
>> > --
>> > fedora-devel-list mailing list
>> > fedora-devel-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-devel-list
>> >
>>
>>
>> Perhaps I am the least well suited to respond as I did some of the
>> initial review.
>
> No, on the contrary.
>
>>
>> However, there are at least 10 bundled libraries with ampache,
>> including pear-XML_RPC, nusoap, getid3, small snippets from Horde,
>> captchaphp, php-Snoopy, etc.
>>
>> In addition to the security benefits, creating the separate package
>> means other packages (even other web apps) can make use of the
>> libraries that would be available in Fedora instead of just ampache.
>> I can empathize with the extra work that this causes, as I am trying
>> to fix a few of these problems with another web app.
>>
>
> Maybe we can list all of the packages we would like to have for web
> applications, and try to set a "task force" to cope with them?
>
> I think if we had three or four people willing to help, the work would be
> concluded fast. There are always people looking forward to contributing,
> but without a good package to work with.
>


I think that's an outstanding idea, and I'd be willing to work towards
such an end, and perhaps since there is such a prevalence of php we
can get some buy-in from the php-sig as well. To illustrate some of
the usefulness - I have a web app I am working on now that uses
php-Snoopy as ampache also does, so that's at least two applications
that can make use of the package.

More information about the devel mailing list