"Thomas Dukleth" <kohadevel@agogme.com> wrote: [...]
As I was preparing some proposed fixes, Joshua Ferraro informed me that there are various pending fixes from a few people. Some of the pending fixes will not be pushed up to the Koha git repository because they conflict with other more complete fixes. [...]
That seems like the wrong solution to me. If people aren't creating and pushing unannounced fixes to the main repo fast enough, the conflicts are their lookout IMO. For example, I didn't know Galen Charlton was also working on the PL_FILES problems until your email. A few comments on the other aspects:
[...] Vincent Danjean has some supplementary Debian packages at http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html and MJ Ray has some at http://serene.ttllp.co.uk/~mjr/ . At some point, these should be placed in repository for apt to use.
They will be placed in the main repositories. Vincent Danjean has pushed some packages to pkg-perl just this weekend.
2.1. PROBLEMS PREVENTING SUCCESSFUL MAKE.
File globbing which captures directories builds a makefile which aborts with the following error when running make.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ERROR: Cannot copy 'installer/data/mysql/fr/mandatory' to '/usr/local/lib/cgi-bin/koha/installer/data/mysql/fr/mandatory': Is a directory !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! at -e line 1 make: *** [pm_to_blib] Error 21
Changing general file globbing from * to *.* for using the '.' in filenames can fix that problem. However, that solution is not robust if files are not in *.* form and at least needs a specific correction for .htaccess as the only file which does not match the pattern.
A better fix might be to check that glob returns are files with -f or at least ! -d.
2.3. INSTALLATION FILE OWNERSHIP.
The webserver user should be read and ownership of the necessary files should be changed to the webserver user when running make install.
Why? That seems like a serious security risk, leaving the web application able to change the file-based configuration if exploited. I think that is one thing which should be left to defaults, with the sysadmin tightening things if needed.
2.4.2. KOHA-HTTPD.CONF.
Using the ScriptAlias directives is considered a security vulnerability.
By whom? It's not mentioned in http://httpd.apache.org/docs/2.2/howto/cgi.html - in fact, it seems to suggest the reverse.
Alias directives, rewrite rules or some other more secure method should be substituted for ScriptAlias directives.
Rewrite rules would add extra requirements for Koha hosting. Not sure whether that's a problem or not. Hope that helps, -- MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 - Webmaster-developer, statistician, sysadmin, online shop builder, consumer and workers co-operative member http://www.ttllp.co.uk/ - Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/