Please check whether the use of 'einstall' in this ebuild is actually needed. From a quick glance at the Makefile, it seems to have proper support for DESTDIR. Therefore, if possible please replace the call to 'einstall' with proper 'default' or 'emake DESTDIR="${D}" install'. Thanks.
1.21 was released years ago to fix security issues included in 1.20 (a CVE from 2003)... 1.21 is from 2004 and, then, I really wonder about the security status of this server. I would then remove it
I actually quite like this package. There's been no CVE for this package since 2004, well, isn't that actually a good thing? Does not seem like a reason for removal.
It has no CVE because nobody is caring and using it for years, and looking the history of CVEs that this *server* was getting when people cared, I wouldn't really trust it
https://web.nvd.nist.gov/view/vuln/search-results?query=webfs&search_type=all&cves=on Yes, those were quite bad indeed. Still I don't subscribe to a logic of "there must still be security bugs because there were some in the past and I guess no one is using it because there are no recent CVEs". It's quite possible that the author took a good look at the whole of the request parsing code when fixing these bugs. And I don't think absence of recent CVEs equates to "no one is using it". I could proxy-maintain it and fix up the ebuild if that's the pain point.
I like this package a lot as well. Please keep it in portage. 'ik use dit'
There are plenty of web servers available, why do you want to keep people using this one that is clearly abandoned and probably risky to run? This is not like a small local app that you can run safely on your computer, this is about a server that is exposed to attacks and also has a clear history of important security issues (and a lot of them) until this became completely dead and nobody care about them. This reminds me to the times of webkit-gtk supposedly having no security issues until, suddenly, they looked to it and they told us to drop the old versions as soon as possible as they were vulnerable a lot
> There are plenty of web servers available, Which one the webservers in the `www-servers` portage category allow for no-config-file-required serving a dir of files with dirindex as the current user using a one-liner? Our own Górny's `pshs` comes close but doesn't do directory indices. > why do you want to keep people using this one I am not telling people what to run. > that is clearly abandoned It has a homepage and the author is alive. Define abandoned. > and probably risky to run? As I pointed out before, the argument you constructed for deeming it 'probably risky' is logically flawed. A more substantive argument about code quality would at least include a mention of the many compiler warnings it throws. > This is not like a small local app that you can run safely on your computer "People" (N=4) are kinda using it in that manner though, to quickly share a dir of files for a couple of minutes to colleagues on a local LAN. I'd say the initscript has to go; it may very well not even have been the authors intention for it to be used that way. Plus the initscript has had a CVE of its own (CVE-2013-0347, severity high, zomg! don't use gentoo initscripts!). > until this became completely dead and nobody care about them. Without substantiation this is just speculation. > This reminds me to the times of webkit-gtk supposedly having no security issues until, suddenly, they looked to it and they told us to drop the old versions as soon as possible as they were vulnerable a lot Yes, that's how these things go, isn't it? There's an incident and then someone or a bunch of people take a second look. I've mentioned an offer to proxy-maintain this to which you didn't respond. Proxy-maintainers are important for Gentoo though. Anyway, if you want to follow up properly on your suspicions, wait for me to attain maintainership, and then analyse the source code and file security bugs against the package. When I get tired of those security bugs filed we'll drop the package after all. But that time, with substantiation.
Let CC proxy-maint people... even if my concerns about keeping this for the wide use still stand
for the record, I'm using it, and asking if this is removed what can be used in its scope (lightweight server to temporary open a filesystem directory for download files by http)
removed
