You are not logged in.
Hi
I just checkout the aur.git, and i guess it's better to rewrite it in other technologies for better maintaining/features/bug-fixing and implementing other enhancement.
For example nowadays web-applications shoulda be totally safe against XSS/CRSF, but couple of days ago aur experienced some XSS vulnerabilities, and so on..
I'm not talking about the code or code styling or something no, those are fine. But something like php without any framework help, is totally disaster. also i'm not talking about using php-framework either
If any plan is on, i really like to know about it.
So what do you think ?
Last edited by Alir3z4 (2012-02-23 21:23:30)
Offline
I don't see you hackin' like there's no tomorrow 8)
Offline
Hi
I just checkout the aur.git, and i guess it's better to rewrite it in other technologies for better maintaining/features/bug-fixing and implementing other enhancement.
For example nowadays web-applications shoulda be totally safe against XSS/CRSF, but couple of days ago aur experienced some XSS vulnerabilities, and so on..
I'm not talking about the code or code styling or something no, those are fine. But something like php without any framework help, is totally disaster. also i'm not talking about using php-framework either
If any plan is on, i really like to know about it.
So what do you think ?
"Should" be safe and "are" safe are extremely different. Tools like burpsuite and skipfish exist simply because csrf and xss vulnerabilities will always sneak in regardless of the framework you use. I suspect that you would be surprised at how many sites out there have numerous vulnerabilities. In particular, I'll point out that despite things like PCI compliance, banks are notorious for being years behind in terms of security.
Regardless, rewriting the aur comes up pretty often. Sadly, I can't liken it to duke nukem forever anymore, bit hopefully you get the point. I encourage you to prove me wrong...
Offline
Security was just an example :D, and yes of course there is many web-sites have numerous vulnerabilities. But you can't take as "other are insecure why not aur"
As i said, XSS vulnerabilities is just an instance, my whole point is, there are another ways to develop/maintain aur. *of course there are pretty often ways to maintain archlinux itself - Maybe you gonna say!
Last edited by Alir3z4 (2012-02-23 23:18:47)
Offline
I've been working on an AUR rewrite, http://aur3.org It has some of the stuff you mention, such as no PHP. Progress has slowed quite a bit lately, but it has been a good mirror when the real AUR is down for repairs.
Offline
Is that because of the KISS ? or folks really dont't give a heck about it ?
What about full-text search?
Offline
There were also lots of AUR2 attempts that all died out. The reason is generally lack of motivation to rewrite something that basically works.
Offline
There were also lots of AUR2 attempts that all died out.
Ow i didn't know there were AUR2 also :|
The main reason about "died-out" is no body shows any interest, at the first place ppl came and say what? who? ha? go-away!, why you want ruin something that works great
Offline
Nope, the response was pretty enthusiastic, just read https://bbs.archlinux.org/viewtopic.php?id=112709 or https://bbs.archlinux.org/viewtopic.php?id=99839
Offline
Nope, the response was pretty enthusiastic, just read https://bbs.archlinux.org/viewtopic.php?id=112709 or https://bbs.archlinux.org/viewtopic.php?id=99839
Did you found aur's current devs come into and even say hi?, most of them are just normal user who want something ?
Seems shoulda bring other aur implementation on wheelchair with this hope may someday by accident current aur get into some trouble and .... !
Last edited by Alir3z4 (2012-02-26 13:07:58)
Offline
The current AUR sort of works (but lacks many 'nice to have' features), AFAIK the other implementations didn't get far. If you show us a working AUR-ng, we can simply copy the PKGBUILDs (not sure about the comments) there.
I don't think we need approval from whoever keeps AUR up and running.
Edit: Obviously you might have to convince TUs to start patrolling AUR-ng instead of the old AUR in case of AUR v. AUR-ng competition.
Last edited by karol (2012-02-26 13:14:02)
Offline