[pkg-php-pear] php-htmlpurifier ready for tests (Security flaws in the current Debian version)

David Prévot taffit at debian.org
Sat Oct 18 01:30:05 UTC 2014

Hi Roland,

[ Switching back in English for the benefit of other recipients, who are
  also welcome to provide feedback. ]

On Thu, Oct 16, 2014 at 06:48:31PM -0400, David Prévot wrote:

> As agreed with Roland, I’m taking the lead on this proposal. The updated
> package should be ready by tomorrow, and I will coordinate with the
> fusionforge maintainers (since gforge-common depends on
> php-htmlpurifier) to get some testing before the actual upload.

The package ready for test and upload is online:

If you’d like to inspect the source and rebuild it, feel free to fetch
it from its (new) VCS. I’ll replace the (old) one on collab-maint by a
symlink after the upload:

The previous version of this package used to be installed outside of the
PHP path, with symlinks to restore the usual expectations. This version
does it the other way around (to keep backward compatibility, since
e.g., moodle uses the files from /usr/share/php-htmlpurifier). I intend
to drop those symlinks after Jessie gets released, so please, do update
your package if you use /usr/share/php-htmlpurifier too.

The directory to symlink and vice versa dance uses some recent features
of dpkg-maintscript-helper(1), thus the Pre-Depends on dpkg (>= 1.17.5).
If you expect to use this latest php-htmlpurifier on Wheezy or any other
old system without such a recent dpkg version, I can implement the dance
the old way (but since it’s a bit more error prone, I will only do so on

I’ve also ditched the patch to disable the caching implementation, and
instead provided a writable (to www-data) directory inside /var/lib by
default. If you believe it’s a bad idea to introduce such change less
than three weeks before the freeze, I can be more conservative and stage
that change for Jessie+1.

Thanks in advance for your feedback. If I don’t get negative feedback by
Monday, I intend to upload the package as is (it will already be late:
two weeks before the freeze). I would much prefer get feedback sooner,
and upload this package as soon as you believe it’s OK.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20141017/eb830f61/attachment.sig>

More information about the pkg-php-pear mailing list