Hello, Am Montag, 13. Februar 2012 schrieb Ralf Lang:
A lot of pear software adheres to separation of config and data, other things can be patched to work this way.
Proposal:
1) Immutable parts of web apps live in /usr/share/php5/* (install tarballs) or /usr/share/php5/PEAR/* (if they are pear packages(
Define "Immutable parts", please ;-) What about - template files that a user might customize (even if only 1% actually does it) - smarty cache (templates_c directory) - a CMS that allows uploading pictures etc. - a webapp that allows to install extensions from an online repo (repo as in "write some PHP files somewhere", not as in "collection of rpms" ;-) - webapps that allow to update themself online (like wordpress - and no, I won't be surprised if I see a *shudder* from Ludwig because this requires write permissions for wwwrun on the whole webapp) Things aren't as easy as you'd like them to be ;-) and you'll probably end up with lots of symlinks (depending on which webapp you package of course). If you want real-world examples which parts/directories need to be writeable, I can lookup the details in my apache AppArmor profile for (at least) Joomla, Typo3, S9Y and Mediawiki. Just ask if you are interested ;-)
2) Config lives in /etc/{appname} 3) We find a dir in /srv/ for apps that cannot easily be patched to work this way or need a web-writable folder
Sounds interesting. It will be even more interesting how your open_basedir setting will look like for such a setup *g*
4) rpm-installed web apps listen on localhost by default
I'm not sure if this is the best idea. Security-wise, well, maybe - but it will annoy lots of users... If you implement something like this, please make sure to find a solution that - won't cause lots of files in /etc/apache2/conf.d/ to be marked as "modified" by rpm (which makes updates more interesting - I don't like the idea to merge and cleanup 100 *.rpmnew or *.rpmorig files) - won't lock the webapp again after an update
5) We won't be all too strict and won't scare off maintainers of existing packages
;-) That said, http://blog.koehntopp.de/archives/860-Webanwendungen-und-der-FHS.html is still an interesting reading (german, use google translate if needed) and contains lots of interesting points (feel free to ignore the "don't package webapps as rpm" part) If you have a dejavu while reading this, don't be too surprised ;-) and have a look at http://lists.opensuse.org/opensuse-packaging/2011-04/msg00127.html (my comments from april are still valid) BTW: The fedora policy is "just" for PHP modules, PEAR and PECL packages (and it makes sense for them). It doesn't cover webapps (unless I overlooked something). Regards, Christian Boltz -- Natürlich kann man Bäume mit der Nagelschere fällen, und es ist bedeutend sicherer, als, sagenwirmal, eine Kettensäge. Trotzdem ist eine Säge das korrekte Werkzeug. [Ratti in suse-linux] -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org