"Torsten Werner" <[EMAIL PROTECTED]> writes: > On Sat, Nov 22, 2008 at 9:48 AM, Thomas Viehmann <[EMAIL PROTECTED]> wrote: >> given that there seems to be limited interest in fixing the #475737 (3 >> weeks since reopen without further comments), how about removing otrs2 >> from lenny? > > I had sent the following reply to the list (but not to the bug) weeks > ago but I did not get an answer so far:
I tried to bring a bit of order into this mess. In #475737, two issues
were covered:
(i) Files in /usr are written.
(ii) The web frontend (aka www-data) is able to write random perl code
into files that are later executed by the otrs2 user
So, we can fix (i) easily: Just push the config file to somewhere in
/var or /etc, fix the code or symlink it in from /usr, make it writable
by www-data and we are done. Moving it to /etc seems a bit evil, as this
data isn't meant to be changed manually, so /var seems like the better
option.
(ii) is a more complex issue, and I would consider this as something
that could get a lenny-ignore tag. The main problem, communication
of configuration changes between the web frontend and the rest of the
OTRS suite, enforces some way of passing information. Using
turing-complete perl code for that isn't the best way.
Luckily, OTRS already uses XML for its configuration in quite a few
places, and it might be a reasonable idea to use exactly that for the
web frontend. The general idea would then be to write out XML
configuration files as www-data, which are then parsed by
Kernel::System::Config. This would also get rid of the horrible
_XML2Perl function currently used.
This is a big, long-term change that should be discussed with
upstream (and I'm willing to propose this, and write code for it). What
do you think?
Marc
--
BOFH #167:
excessive collisions & not enough packet ambulances
pgp64q2BzgGKG.pgp
Description: PGP signature
