Main Inclusion Report for moodle

1. Availability: The package is available in Ubuntu Universe (1.8.2-1ubuntu2) and is an arch-independent package.

2. Rationale: The package is an often requested application for Edubuntu and is needed to provide a complete educational platform.

3. Security:

   • No binaries running as root or suid and no daemons. This is a fairly typical PHP web app.
   • Moodle includes an apache.conf file that opens up only localhost:80

   • No unfixed CVE or SECUNIA reports for the current Ubuntu version (1.8.2). See also the Debian security tracker page.

   • Lots of vulnerabilities in the past. (36 old CVEs total)

   • Upstream has set up a Moodle Security Center

4. Quality assurance:

   • Needs manual setup via own web interface after install

   • Debian bugs: Eight major bugs and ten Normal in Debian and 0 bugs in Ubuntu.

   • Debian: is active/calm

   • Upstream: is fairly vigorous

   • There are 17 debconf questions with high or critical priority. They are related to setting up the database (both MySQL and PostgreSQL are supported).

5. Standards compliance:

   • The package meets the FHS and Debian Policy.
   • It uses debhelper and dpatch

6. Dependencies:

   • All in Main

7. Background:

   • Moodle is a very popular (their website alone has 200,000 users) education course management system. It allows teachers to create a virtual classroom with course content, forums, quizzes, chat, etc.

Reviews

MartinPitt:

• Horrible database setup code and too many debconf questions
• horrible security history
• However, this is an explicit goal, and we want to cover the maintenance costs, so approved.