On Fri, 2011-05-06 at 11:29 -0400, Scott Kitterman wrote: > On Friday, May 06, 2011 11:23:50 AM Tshepang Lekhonkhobe wrote: > > On Fri, 2011-05-06 at 09:11 -0400, Scott Kitterman wrote: > > > On Friday, May 06, 2011 08:56:21 AM Chris Warburton wrote: > > > > Programming Lang: PHP > > > > Description : ocPortal is a Content Management System for > > > > building > > > > > > > > and maintaining a dynamic website > > > > > > How many content management systems written in php does Debian need? > > > > It's not kool that you didn't even ask about how good it is. Maybe it's > > better than whatever exists in Debian currently, have you checked? My > > point is your question isn't helpful. It smacks of flaming. > > The question I should have asked is what is it's security record like. This > is an area that's rife with applications that have 'poor' security records. > Adding more to that pile would be an unfortunate burden on the security team. > > That's probably the most significant of the project wide costs adding a > package > like this brings with it. > > Scott K
Hi Scott. ocPortal isn't massively widespread compared to other systems, so there's obviously less experimental proof of security. We had a security hole a few years ago; this was before I got involved, but there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms Official ocPortal releases are managed by ocProducts, a company set up around ocPortal (and who pay my salary), and we have a clear security policy which can be found here http://ocportal.com/site/maintenance.htm . We also regularly run static code analysis tools on the codebase and we test every release with a hacked PHP runtime that 1) triggers errors if strings are not explicitly sanitised before going through eval, getting echoed to a browser or being entered into a database, and 2) enforces a type system on variables and function calls (based on type signatures written into the PHPdoc of every function), and raises an error if there is a type mismatch. I actually run this hacked PHP on my system in place of the distro's own. If there are specific security concerns I'd be happy to address them. Thanks, Chris Warburton -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
