Item8311: Configuration warnings and management in Debian packages
Priority: Enhancement
Current State: Needs Developer
Released In: n/a
Target Release:
In
http://trac.foswiki.org/browser/trunk/core/tools/pkg/debian/patches/00_More_Extensions_warning.dpatch?rev=3207 a warning was added to the Debian 1.0.x branch packages about installing from source rather than packages, and a recommendation to not use configure to install and configure extensions.
In
http://trac.foswiki.org/changeset/5244 I removed this patch from trunk, where it no longer was capable of applying (the code and functions all changed).
SvenDowedeit asked that I find a way to restore it in trunk.
In
http://foswiki.org/Tasks/Item8301 Sven and I both expressed reservations about configure in Debian packages, and downloading and executing (as the web server uid) at the request of a web user.
This may be more of a global issue - executing unsigned content in the extensions and their installers, but it manifests most in
DebianPackage, where there is an existing solution to signing executable content. CPAN and most other upstream authors have unsigned content, which Debian reduces to a single download by a developer (who often looks over the new differences).
My inclination is to split configure off into a separate package, and make it an alternative to a different configuration package that ships a fairly simple Debianized demonstration configuration (using debconf, only packaged-extension installed, etc). Users would then have the choice of the current Foswiki configure setup, and Debian-driven basic configuration, or no configuration and all manual install (for the complex cases where configuration has to be handled manually anyway).
--
DrakeDiedrich - 23 Oct 2009