app-misc/gallery updated for webapp.eclass
Created attachment 36175 [details] gallery-1.4.4_rc2.ebuild
Created attachment 36176 [details] files/postinstall-en.txt
see http://bugs.gentoo.org/show_bug.cgi?id=51008 perhaps.. Also, As of 1.4.4, Gallery no longer requires the use of configure.sh and secure.sh. The configuration wizard is run via a logged in administrator for upgrades and without running the script on a new install.
Three issues about that ebuild. Only one is major: 1. In the dodoc line, Changelog should be Changlog.archive.gz (don't know why they have it that way). 2. After the dodoc, you should rm -f the dodoc files or else they're duplicated into the master-copy installation. 3. *** The major one ***: Don't "touch config.php". Packaging config.php makes it overwrite the user's config.php with no backup.
Doh, typo: I meant "ChangeLog.archive.gz"
Oh, and ditto item 3 for .htaccess!
Mike, Thanks for your comments, I did not think about overwriting existing configfiles. Will fix shortly.
FYI there is a ChangeLog and a ChangeLog.archive.gz because the raw changelog is about ~300K when uncompressed. the non-compressed one is the most recent changes, usually since the last point release.
Ah, you're absolutely right, Chris. I missed that.
Created attachment 36698 [details] gallery-1.4.4-r1.ebuild - version bump (all arches dropped to ~) - incorporated suggestions
Created attachment 36699 [details] files/postinstall-en.txt
That one seems to work well here. One thought, though: I agree with you not doing "rm -rf html" after the dohtml, since the docs are linked from within gallery when logged in. But the dohtml redundantly duplicates the whole html documentation tree in /usr/share/doc/gallery-*. I'm not sure the right thing to do is *not* to do the dohtml so as to avoid this duplication since, typically, those docs are supposed to be there. I'm just mentioning it for consideration.
If/when we get ready to draft a GLSA: 20:42 <@Stuart> klieber: by default, we ship php w/ allow_fopen_url=off, which (from reading the code) should be enough to prevent the attack from working
In CVS, also see bug #60742
# emerge -av gallery These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] www-apps/gallery-1.4.4-r1 0 kB Total size of downloads: 0 kB Do you want me to merge these packages? [Yes/No] >>> emerge (1 of 1) www-apps/gallery-1.4.4-r1 to / >>> md5 src_uri ;-) gallery-1.4.4.tar.gz vhosts >>> Unpacking source... >>> Unpacking gallery-1.4.4.tar.gz to /var/tmp/portage/gallery-1.4.4-r1/work * Applying vuln-20040817.diff... [ ok ] >>> Source unpacked. >>> Install gallery-1.4.4-r1 into /var/tmp/portage/gallery-1.4.4-r1/image/ category www-apps gzip: /var/tmp/portage/gallery-1.4.4-r1/image/usr/share/doc/gallery-1.4.4-r1/ChangeLog.archive.gz already has .gz suffix -- unchanged * (server owned) htdocs/albums * ebuild fault: file '/usr/portage/www-apps/gallery/files/postinstall-en.txt' not found * Please report this as a bug at http://bugs.gentoo.org/ !!! ERROR: www-apps/gallery-1.4.4-r1 failed. !!! Function webapp_checkfileexists, Line 59, Exitcode 0 !!! ebuild fault: file '/usr/portage/www-apps/gallery/files/postinstall-en.txt' not found
Thanks for reporting. Missing file in CVS now, will hit your mirrors in about an hour.
Works for me now. :)