[Mageia-sysadm] [forums-discuss] Re: updating sysadmin privileges in forum config

Sat Mar 24 14:45:34 CET 2012

Le samedi 24 mars 2012 à 12:48 +0100, Wolfgang Bornath a écrit :
+> 2012/3/24 Michael Scherer <misc at zarb.org>:
+> > Le jeudi 22 mars 2012 à 08:18 +0100, Wolfgang Bornath a écrit :
+> >
+> >> He is talking about the update of the forum software phpBB3. The
+> >> version used at Mageia is outdated since summer 2011. New versions of
+> >> phpBB3 almost always are caused by security issues. This has been
+> >> mentioned several times in the forum threads. The point is that the
+> >> implementation of the forum software at Mageia (involving puppet,
+> >> etc.) was done this way to "ease forum software maintenance" (quoting
+> >> maât). :)
+> >
+> > Strictly speaking, what would have really helped the maintenance would
+> > have been to use :
+> > - a forum properly packaged, not one requiring specific deployment
+> > process like the current setup we have. Packages solved part of the
+> > problem since 15 years, maybe it would be a good moment to start using
+> > them.
+> > - a forum that do not requires to patch it for adding features
+> > - a forum that do not requires update on a regular basis.
+> 
+>  - I know not much about packaging (just the essentials). 
+
+I know packaging, and more than "the essentials", I also know system
+administration, and also more the essential, partly because that's my
+job.
+
+> But I doubt
+> there would be benefits by having a package for the forum software.
+> Quite to the contrary, a simple change of a character in one of the
+> php files would cause the need of an update of the whole package,
+> while as is you just need to exchange this one php file. If there
+> would be a benefit I guess there would have been phpBB packages for
+> years, phpBB being the most popular forum software, not only in the
+> Linux world. Ok, a weak point, I admit.
+
+The point is indeed weak.
+
+For the start, having a package would ease the testing, since right now,
+people just have no clue on how to replicate our setup. There is the
+puppet manifests, but I take for granted that the intersection of those
+that know how to use them and those interested into testing phpbb is
+near 0.
+
+Second part of having a package is that it would benefit to others if in
+the distribution. It would also ease the management of version by the QA
+( cause if stuff is really important, you want to have it checked before
+it goes live ).
+
+Another idea is to detect when there is change in the php files, by
+using the rpm -V feature. That's quite handy when there is a problem
+( again speaking of experience ).
+
+And having a rpm in the distribution also mean that we can benefit from
+the whole framework on making sure this is up to date, making sure that
+basic quality is respected, etc. Something that is far from being the
+case with a random zip taken from the web, especially from php software.
+And I do not even talk of more complex security system like tomoyo or
+selinux.
+
+It also mean that the packager is following the update policy, which is
+here to prevent unwanted breakage by minimizing changes.
+
+A package also mean we know what we can remove from the server, or what
+we need. If we say "phpbb need php-zip", we know that the 2nd need to
+have a packager, or we are in trouble. 
+
+If we wanted to use slackware-style package on our servers, we would
+have done so.
+
+
+Oh, and there is package for phpbb in debian. So the lack of package in
+mageia just show that no one is interested into it, and show there isn't
+much correlation about what users would want and what people are
+interested to do.
+
+
+>  - How would you implement requested features which are not available
+> in the forum software other than by "MODs" (which is the same as a
+> patch?
+
+Usually, with well designed software, that work with plugins. Of course,
+with some stuff, that goes by "let's duplicate the source code and deal
+with merging source code update". There is ton of example of why this is
+wrong ( search "technical debt" on a search engine for lots of articles
+on the topic ), hence the need to use a software properly designed, and
+to stay in a well designed process.
+
+For example, bugzilla has a rather clean API in the version 4.0.
+Firefox, evolution, kde, all can be extended because they were designed
+this way.
+
+In fact, every single software that we can consider extendable in the
+world has some form of plugin system, . Except for some web application,
+because people are too impatient or too enthusiast to do stuff more
+slowly and properly, because it take time to design a proper API.
+
+And that's not because others application are harder to edit. There is
+lots of python, ruby and perl application out there that are no more
+harder to edit in place than php. And yet, coders usually add extensions
+system rather than telling "just edit the file and that's it". 
+
+We did take the "let's patch bugzilla to death" during the mandrake era.
+This ended with a outdated bugzilla. 
+
+And frankly, the whole idea of mod is a sign that phpbb is not suitable
+out of the box, as I said in the past. So while maybe the others are not
+either, that's still a signal that something is wrong.
+
+>  - every php based forum software I know (I think I know almost all of
+> them at least from testing) gets regular updates from upstream. Most
+> of the changes between versions are not added functionalities or nicer
+> looks (where implementing an update could be a matter of discussions)
+> but needed bug fixes and even more needed security fixes. That's why
+> updates are unavoidable and should be done in due time. If you know a
+> forum software with equal functionality and which does not require
+> such updates, great, let's have it!
+
+I never said that update should not be done in due time. But the fact
+that you need to patch the software is a clear blocker for doing
+upgrade. There is unit test in place in phpbb to ease everything, but I
+doubt that coders who know how to write tests would be ok with the whole
+"patching the code" style of extensions.
+
+And that's also a point for having a package in the distribution, where
+we have a proper process for upgrade. There is nothing more special
+about the forum software than for the rest of the system that would
+warrant being treated differently.
+
+> > We are open to discuss patches or even constructive comments to the
+> > puppet setup, but it seems that no one sent anything at all. I have
+> > justified everything we did, and the reason for not having a free for
+> > all system due to privacy and security requirements that I explained
+> > enough to not repeat myself.
+> 
+> Exactly these (privacy & security) are the reasons for forum software
+> updates. To me the current implementation was explained as a way to
+> ease maintenance. 
+
+Easing doesn't mean "give a magical wand to do upgrade". If no one do
+it, it just doesn't happen. 
+
+> That's why I (and others) asked in the forum why
+> needed updates were not installed. I asked this in the forum because
+> for a forum user the forum admin is the right person to contact, not
+> any other group or person, not any other platform.
+
+There is what people may think regarding who to contact, and the
+reality. If the 2 doesn't match, that's usually the reality that win.
+
+> > I either didn't see any pull request of patch to upgrade the forum in
+> > git, nor any request to have write access to the aforementioned git by
+> > anyone. While I can imagine that puppet, despite being dead easy and
+> > very well documented, is too complex for a hobbyist sysadmin, I do not
+> > think that git is a so obscure and unknown technology that no one ever
+> > tried to do anything with it.
+> 
+> Maintaining the forum (implementing modifications, updates or starting
+> these by creating a bug report or whatever needed) is the most
+> prominent task of the forum admin, there's not much else for him to
+> do. It is not the user's job to care for such things. Maât himself
+> even explained the workflow once in the forum, so he knew exactly what
+> to do. So, if you blame somebody about missing requests or whatever,
+> pls knock on the right door.
+
+>From my point of view, everybody can open a bug report or send patches.
+No one did, and you can say as much as you want "this is not my fault",
+that will not change anything nor retroactively make bug reports appear.
+
+I would add that if people have a pretension to become admin or
+anything, they should at least attempt to act as such. Ie, sending
+patchs, etc.
+
+The last "git push" is not harder than "git send-email".
+
+> > Also, it seemed obvious to me that security issues should be treated
+> > like the rest of the issues, on bugzilla and not on forums. I still see
+> > no bug opened for that on the bug tracker.
+> 
+> You're right, it's no topic for forum discussions. If updates are
+> available upstream, the admin should open a bugreport, adding an
+> "important" tag to ensure that it is done in due time. This was never
+> done.
+> 
+> Summary: this discussion only started because somebody did not do his
+> job (whatever reason). Hopefully exchanging people on the relevant
+> position will improve the situation.
+
+No, the discussion started because no one did the job. We are not
+Mandriva, there is not "someone is in charge so I do nothing" bullshit
+state of mind with the company and the rest of the world separation. The
+system is open enough that someone skilled enough and motivated enough
+can do most of the job, except the last step. 
+
+If people were really concerned on contributing instead of speaking how
+they would want to do something or how others didn't do what they
+wanted, they would have done something.
+
+-- 
+Michael Scherer
+
+