Re: [Koha-devel] Issues for README.txt and Makefile.PL

[MJ Ray]

"Thomas Dukleth" <address@hidden> wrote: [...]
> As I was preparing some proposed fixes, Joshua Ferraro informed me that
> there are various pending fixes from a few people.  Some of the pending
> fixes will not be pushed up to the Koha git repository because they
> conflict with other more complete fixes.  [...]

That seems like the wrong solution to me.  If people aren't creating
and pushing unannounced fixes to the main repo fast enough, the
conflicts are their lookout IMO.  For example, I didn't know Galen
Charlton was also working on the PL_FILES problems until your email.

A few comments on the other aspects:

> [...] Vincent Danjean has some supplementary Debian packages at
> http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html and MJ
> Ray has some at http://serene.ttllp.co.uk/~mjr/ .  At some point, these
> should be placed in repository for apt to use.

They will be placed in the main repositories.  Vincent Danjean has
pushed some packages to pkg-perl just this weekend.

> 2.1.  PROBLEMS PREVENTING SUCCESSFUL MAKE.
>
> File globbing which captures directories builds a makefile which aborts
> with the following error when running make.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> ERROR: Cannot copy 'installer/data/mysql/fr/mandatory' to
> '/usr/local/lib/cgi-bin/koha/installer/data/mysql/fr/mandatory': Is a
> directory
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>  at -e line 1
> make: *** [pm_to_blib] Error 21
>
> Changing general file globbing from * to *.* for using the '.' in
> filenames can fix that problem.  However, that solution is not robust if
> files are not in *.* form and at least needs a specific correction for
> .htaccess as the only file which does not match the pattern.

A better fix might be to check that glob returns are files with -f or
at least ! -d.

> 2.3.  INSTALLATION FILE OWNERSHIP.
>
> The webserver user should be read and ownership of the necessary files
> should be changed to the webserver user when running make install.

Why?  That seems like a serious security risk, leaving the web
application able to change the file-based configuration if exploited.

I think that is one thing which should be left to defaults, with the
sysadmin tightening things if needed.

> 2.4.2.  KOHA-HTTPD.CONF.
>
> Using the ScriptAlias directives is considered a security vulnerability. 

By whom?  It's not mentioned in
http://httpd.apache.org/docs/2.2/howto/cgi.html
- in fact, it seems to suggest the reverse.

> Alias directives, rewrite rules or some other more secure method should be
> substituted for ScriptAlias directives.

Rewrite rules would add extra requirements for Koha hosting.  Not sure
whether that's a problem or not.

Hope that helps,
-- 
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/