Zikula, a web-based CMS is currently packaged for Fedora. Previously bugs were filed against Zikula for bundled libraries and those have been stripped, and the current package uses system libraries. Upstream, contrary to their own policies, released version 1.2.x with a bundled php-gettext which they then forked. They announce that their intention is to rid themselves of php-gettext altogether with the release of version 1.3
A number of bugs have been filed. Some of those are functional bugs as portions of Zikula are using deprecated php functions. Additionally in the last 24 hours, multiple security vulnerabilities have been filed against Zikula (those tickets are currently embargoed in bz.rh.com) Both the functional bugs and the security issues have been fixed in Zikula 1.2.3.
As such, to resolve these issues, I'd like for FESCo to grant a limited exception for zikula to carry it's own bundled/forked php-gettext so that these functional and security issues can be resolved using upstream's release.
Thanks for your consideration.
Some questions:
Adding meeting keyword, as well as cc'ing some packaging folks for input.
When is version 1.3 scheduled to be released?
I have been told it's within the next several months. But no firm date has been given to me. You can see their roadmap here: http://code.zikula.org/core/roadmap
Is upstream pretty good about meeting scheduled release dates in the past?
I've only been through a couple of releases with upstream, and while they haven't been without slips, they have generally been within a few weeks of dates, though the dates don't seem to have a schedule per se, I think it's more of a we're close, so we're going to work to $date.
Would any of these issues affect our php-gettext package?
None of the issues which are functional are security bugs affect php-gettext. The functional and security bugs are problems in Zikula itself. php-gettext has just been forked, and is the blocker for us pushing up a new version of zikula.
Fixing up keywords here so it matches the meeting report.
Added to 2010-05-11 meeting.
Does zikula as packaged in Fedora currently bundle gettext?
Mitigating factors:
I'm inclined to say that we should update the package despite the bundled library for those reasons. We can work on pushing the bundled code out of zikula if we feel they aren't going to make either their 1.3 release date in a timely manner or that php-gettext will still be a prerequisite when 1.3 releases. (Perhaps a FES special ticket if that should be the case since zikula is being deployed in Fedora Infrastructure?)
Replying to [comment:4 toshio]:
No, the current version of zikula does not bundle gettext. This has been one of the reasons I haven't pushed v1.2.x despite 1.2 becoming available around 6 months ago. Knowing they had bundled and forked php-gettext, we urged them to contribute patches upstream, and also packaged php-gettext in preparation for that time. If not for the security problems we likely would still be waiting on either patch acceptance or 1.3.
This temporary exception was granted at the 2010-05-11 meeting.
Will leave the ticket open to track it and make sure 1.3 lands without the bundled lib.
Removing from meeting agenda.
I would like to cover the PHP-Gettext fork issue because it has not been represented here correctly.
Firstly, we have the exact same no forking policy as Fedora. We simply do not sanction modification of 3rd party dependencies and there are absolutely no exceptions to this rule.
PHP-gettext library is not, and was not from the outset, suitable for Zikula without modifications to couple it directly to Zikula. We found it as a potential solution mainly for parsing .mo files. We never introduced it to Zikula as a 3rd party dependency but as something to be subsumed by Zikula. Your policy of no forking is correct when projects are fixing small bugs or tweaking things without contributing that upstream, but for our purposes, PHP-Gettext does not suite our needs at all.
I think Fedora has to respect vendors right to create new libraries (out of other libraries) - this is not a small fork but a complete rework for Zikula's specific purposes. You also know the PHP-gettext authors are historically religiously inflexible and difficult people to work with even though this is not the reason for our decision. We had many discussions with David Nally about this and we deliberately reworked the library so it was clear it was no longer a 3rd party library but something that is part of Zikula.
Our intention to rewrite this gettext functionality is not based on the 'no forking' reasons however, but for the fact the PHP-gettext authors will not sanction a derivative work licensed under Lesser GPL and for our purposes we need all 3rd party libraries to be based on non-viral yet GPL compatible licenses like new BSD, LGPL and MIT.
So you can see the PHP-gettext library is not bundled with Zikula. We have modified this code for our purposes in a tightly coupled manner to become part of Zikula as opposed to being a 3rd party dependency. Our intention is to replace this code, but due to other priorities I cannot saw exactly when it will happen except it is intended - I hope it will be part of 1.3 but because we have been delayed, it is no longer a required ticket for the 1.3 milestone.
Regarding release date for 1.3 we will set a release date soon after we push Zikula 1.3.0-BETA1 so we have a good baseline to make a realistic projection.
Separately, we will need to know the modules you use for your implementation of Zikula to make sure that there is full compatibility with the 3rd party modules you use because Zikula 1.3.0 sets out to deliberately break non API compliant module code in an effort to raise the quality bar as part of the milestone requirements.
Ref the security vulnerabilities: The ones we were notified about at htbridge.ch have been fixed in Zikula 1.2.3 unless there are any others we have not been informed about? I believe Scunia picked up these but they still havent updated the status, but so you know the origin of the CVEs was htbridge.ch.
Can you file this over on the FPC trac now?
https://fedorahosted.org/fpc/newticket
We are having FPC handle bundled library requests now. Thanks.
I'm not sure what the current status here is. Is this bundling done now?
This exception was granted by FESCo several months back. However, the exception was limited to 1.2.x (Upstream had plans to eliminate the library in question in 1.3.0) 1.3.0 hasn't yet been released. The ticket remained open because FESCo was going to follow up and ensure that this was not an issue in 1.3.0
That said - do I need to file a ticket with FPC since the exception has already been granted? (Happy to do so if it's appropriate.)
Yeah, they have been delegated the power to deal with bundled libs, so I think it might be best to file a ticket there, note that you were granted an exception and that it's just a tracking bug for fixing it when 1.3 is out.
done as ticket 29 https://fedorahosted.org/fpc/ticket/29#preview
Login to comment on this ticket.