[Pkg-awstats-devel] Fwd: Bug#572353

Jonas Smedegaard dr at jones.dk
Thu Apr 1 12:38:22 UTC 2010 

On Thu, Apr 01, 2010 at 12:55:51PM +0200, Andreas Henriksson wrote:
>On Thu, Apr 01, 2010 at 12:38:20PM +0200, Jonas Smedegaard wrote:
>> Hi,
>>
>> On Thu, Apr 01, 2010 at 10:39:15AM +0200, Andreas Henriksson wrote:
>> >On Thu, Apr 01, 2010 at 12:15:30PM +0400, Sergey B Kirpichev wrote:
>> >>Can we make a point release?  Do you think one isn't ready?
>> >>
>> >>There is a few easy-to-handle bugs (e.g., #572353, #415334), but
>> >>the freeze is coming...
>>
>> >My personal opinion is that aiming for perfection is wrong,
>> >we should only consider if the current state is an improvement or not.
>> >I think it is, but it would be very nice if Jonas with his
>> >historic knowledge about the awstats challanges could find
>> >time to review the package and maybe iron out any critical issues
>> >before we go ahead.
>>
>> Improved *functionality* might be weakened *security*.
>>
>> I might be worng (and apologize if so - Sergey have put tremendous
>> work into improvements here, I just fear that extending to support
>> multiple config files have stolen focus from the IMO bigger issue of
>> keeping data secure by default.
>
>I'm not aware that any of the less then optimal alternatives
>to read the apache2 log files has actually been implemented..

Right.  I see that now.

I confused two separate issues:

  1) handling multiple config files
  2) ways for wider access to output out-of-the-box

Only 2) is (highly) security-related.

I dislike how the new debian/update.sh hides all output (including 
potentially errors) and uses ls (which is IMO not as reliable as e.g. 
find).  But that's more stylistic and shouldn't delay release.

I still am uncertain of the actual production quality of the current 
packaging code, but instead of waiting any longer I have now released 
for experimental, to allow more users to test and report back.


>> >If you need any assistance in getting the package uploaded,
>> >feel free to poke me and I'll help out. I guess you might
>> >need sponsorship?
>>
>> I am Debian Developer.  "Sponsoring" is for packages created without
>> connections to Debian getting injected into Debian, not for teams
>> which has Debian Developers involved.
>
>I was thinking about Sergey. AFAIK he's not a DD. I know you are. :)

Ah, then it's just a matter of the term used:

If you'd written "I guess you need help actually releasing" then I agree 
and wouldn't have commented on it. :-)


  - Jonas

-- 
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20100401/fa8ec874/attachment.pgp>

More information about the Pkg-awstats-devel mailing list