On Tue, 2008-02-05 at 01:28 +0100, Moritz Muehlenhoff wrote: > Dave Hall wrote: > > > Note also that there are concerns from the security team about this > > > package > > > > They have never raised any issues with the project via our security > > related email address - [EMAIL PROTECTED] I am more than happy > > to discuss any concerns that they may have. > > [ This is not the main reason, why it was removed. It was removed > because it was marked as unmaintained. Unmaintained packages > which are known to cause security updates are rather maintained > than kept ] > > The main concern is mostly due the way phpgroupware is packaged; it > embeds several components (fudforum, phpsysinfo, xmlrpc are what I > I remember), which need to be fixed separately in several places > across our archive whenever a security problem is found. The PHP > world needs something which resembles shared libs, otherwise this > turns unmaintainable.
As these aren't libraries, they are applications, this doesn't work. They need modification to work as part of phpGroupWare. They are forked versions which are updated from upstream and the modifications merged back in. In the case of true libraries, such as ADOdb, such an approach could work. > > Something, which you as upstream can do to help is to release isolated > patches for security problems. Packaging new upstream releases is not > an option for Debian (as it is not an option for RHEL or SLES either) FYI, I have spent a lot of time helping the maintainers of our debs isolate just the security components of any security release. Cheers Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

