Main Inclusion Report for smarty

Moodle already includes a copy of smarty and Debian has recently decided to remove the copy and depend on the system installed version. This is an ongoing effort to get rid of Moodle's embedded libs (see bottom of EdubuntuContentServer ).

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/s/smarty and is arch all

2. Rationale:

   • dependency of moodle (in Main)
   • moodle ships embedded copy of smarty and new Debian version splits out the copy and deps on system smarty

3. Security:

   • CVE entries: There are 14 total, not all of them are directly about smarty. One note would be that moodle's embedded version seems to be 2.6.9 from 2005. Jaunty has version 2.6.22 which I think fixes most of the CVEs.

   • Secunia history: 4 vulnerabilities with 3 having patches available

   • No binaries or deamons, no open ports, etc. that I'm aware of.

   • Any source code review performed ? Not really. I don't know PHP so I don't think I'd add anything valuable.

4. Quality assurance:

   • In what situations does the package not work out of the box without configuration ? none

   • Does the package ask any debconf questions higher than priority 'medium' ? nope, no debconf

   • Debian bugs: 8 open. Important and Normal are mostly security-related

   • Maintenance in Debian is calm (5 uploads to unstable in 2008)

   • Upstream is active (4 releases in 2008)

   • Upstream bug tracker: I think this is it. They have forums, mailing lists, etc.

   • Hardware: none

   • Is there a test suite in the upstream source or packaging ? There is a unit_tests dir in the source. Is it enabled to run in the build ? Nope. It might need some heavier deps (it mentions getting some stuff from PEAR and using a browser to view the results).

5. UI standards:

   • User-visible strings are internationalized using standard gettext system ? I don't think it has user-visible strings

   • Package with translatable strings builds a PO template during package build ? N/A

   • End-user applications ship a desktop file ? N/A

6. Standards compliance:

   • FHS, Debian Policy compliance ? I think so yes.

   • Debian library packaging guide standards compliance ? Not a library

   • uses debhelper only, no patch system

7. Dependencies:

   • only debhelper

8. Maintenance:

   • How much maintenance is this package likely to need ? Basically just security tracking.

   • Who is responsible for monitoring the quality of this package and fixing its bugs ? Core Dev Are they Ubuntu or Debian developers ? Yep

9. Background information:

   • PHP Templating Engine
   • What do upstream call this software ? They call it Smarty

10. Internationalization:

    • Are graphical applications translatable? Do they support gettext? N/A

Reviewers

MIR bug: https://launchpad.net/bugs/327367

JordanMantha