From: Shane Z. <sh...@lo...> - 2008-02-16 14:29:42
|
Here's the 2.2.6 tarball with the two security patches in-place. Note, I didn't use the exact patches that (I think Jamie) had created, because some of the variable names in them just don't even exist for 2.2.6. http://lottadot.com/slash-2.2.6a.tar.gz FYI, I think the original poster is correct in requesting this. It seems as though the tarball file should have been patched and replaced. This took about a grand total of 2 minutes to do. I don't see how "time" is an argument for not doing it, it's a security hole! (my $.02) Please someone from SF consider updating the tarball on the slash SF page with the new one linked above. Quite honestly if some kind soul were to have the time, they should go through all/any of the relevant issued patches on slashcode.com and apply them against the 2.2.6 tarball and re-release it entirely. (I think there was a DST fix somewhere along the lines, etc). Which, I'd consider doing but I don't have the time at the moment. Oh wait, didn't I just complain about that earlier? ;) As far as Rob stating that Slashdot doesn't use tarballs, so it's not a priority for them. Fair enough. We do the exact same thing. In-fact, I've hardly ever over the past few years put a tarball together of something I'm GPL'ing (and I occasionally get a nasty email telling me I'm a jerk for not doing that). Would it be possible for the sourceforge-cvs setup to generate a tarball every time a T-tag is committed on Thursday mornings and remove the prior t-tag's tarball? Maybe this could be done with R-tags too? The only way it'd be worth anything is if it's automated so no person has to deal with it each week. I've seen other projects that have an automated build system, so maybe this is something that could be setup easily? I've never hosted a project on SF so I honestly don't know if this is possible or the amount of time it would take one to set it up. Shane On 2/16/08, Rob Malda <ma...@sl...> wrote: > > At risk of sounding like a jerk, Slashdot doesn't use the releases at > all. We deploy from the tagged versions... so creating a tarball and > a release is simply not a priority for us. > > I'd love to see releases happen, but given the thousand other things > on the TODO list that directly impact our day to day operations, I > have a hard timing giving it any real priority. > > > > On Feb 16, 2008, at 7:36 AM, Penang A1 wrote: > > > Since I'm the one who asked the original question, please allow me > > to state why I asked that question ... > > > > Many years ago I set up a site using slashcode. Worked flawlessly ! > > > > Recently, as I was preparing to set up another side with slashcode, > > lo and behold, an announcement of a serious security issue ! So I > > went to sourceforge and check ... and was disturbed to find out that > > the files there were all the old ones ! > > > > It's not that I can't do the update as described by others, the main > > reason I post that original question is because I am thinking of > > ***THE NEW USERS*** who want to try out slashcode but aren't aware > > of the security issue. > > > > Or it could be that people knew about the security issue, but > > thought (wrongly!) that the slashcode files at sourceforge contain > > the fix already, and therefore are safe to use ! > > > > We shouldn't be thinking just for people like us, the long time > > users. There _are_ others who don't even know about this mailing > > list ! > > > > Let me post the question this way: > > If people use slashcode and got their sites hacked, > > wouldn't it tarnish the reputation of slashcode? > > > > We wouldn't want that, do we?? > > > > Hence, can someone please do all of us a favor, please update the > > slashcode files at sourceforge with the fix. > > > > Thank you all for reading !! > > > > > > Lee > > > > > > > Date: Fri, 15 Feb 2008 10:10:04 +0100 > > > From: ab...@no... > > > To: sla...@li... > > > Subject: Re: [Slashcode-general] Will there be a new slashcode > > releaseat sourceforge ? > > > > > > Hi, > > > > > > On Thu, Feb 14, 2008 at 07:17:04PM -0500, Shane Zatezalo wrote: > > > > I think the reason why you see people asking for a point-release > > is > > > > because the point-release would typically have included in it a > > > > scripted-method to upgrade from prior version(s). > > > > > > Ack. That's one of parts really necessary for a distribution if they > > > want to ship Slashcode as package: An automatable upgrade path. > > > > > > > Also, the point release would have to have some serious testing > > and > > > > what-not done to it before it could be released. > > > > > > Another point of stable releases which would make it more suitable > > for > > > packaging and especially later maintaining. > > > > > > Regards, Axel > > > -- > > > Axel Beckert - ab...@de..., ab...@no... - > http://noone.org/abe/ > > > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Slashcode-general mailing list > > > Sla...@li... > > > https://lists.sourceforge.net/lists/listinfo/slashcode-general > > > > Express yourself instantly with MSN Messenger! MSN Messenger > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ > > Slashcode-general mailing list > > Sla...@li... > > https://lists.sourceforge.net/lists/listinfo/slashcode-general > > > > --- > Rob "CmdrTaco" Malda > ma...@sl... > Pants are Optional. > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Slashcode-general mailing list > Sla...@li... > https://lists.sourceforge.net/lists/listinfo/slashcode-general > |