Item8311: Configuration warnings and management in Debian packages
Current State: Needs Developer
Released In: n/a
a warning was added to the Debian 1.0.x branch packages about installing from source rather than packages, and a recommendation to not use configure to install and configure extensions.
I removed this patch from trunk, where it no longer was capable of applying (the code and functions all changed). SvenDowedeit
asked that I find a way to restore it in trunk.
Sven and I both expressed reservations about configure in Debian packages, and downloading and executing (as the web server uid) at the request of a web user.
This may be more of a global issue - executing unsigned content in the extensions and their installers, but it manifests most in DebianPackage
, where there is an existing solution to signing executable content. CPAN and most other upstream authors have unsigned content, which Debian reduces to a single download by a developer (who often looks over the new differences).
My inclination is to split configure off into a separate package, and make it an alternative to a different configuration package that ships a fairly simple Debianized demonstration configuration (using debconf, only packaged-extension installed, etc). Users would then have the choice of the current Foswiki configure setup, and Debian-driven basic configuration, or no configuration and all manual install (for the complex cases where configuration has to be handled manually anyway).
- 23 Oct 2009