Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 579428 (w3af) - Package Review: w3af - Web Application Attach and Audit Framework
Summary: Package Review: w3af - Web Application Attach and Audit Framework
Keywords:
Status: CLOSED NOTABUG
Alias: w3af
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: FE-DEADREVIEW
TreeView+ depends on / blocked
 
Reported: 2010-04-05 06:09 UTC by Michal Ambroz
Modified: 2010-12-17 17:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-17 17:51:25 UTC


Attachments (Terms of Use)

Description Michal Ambroz 2010-04-05 06:09:20 UTC
Dear members, please could you review this package to check its suitability for the Fedora Project?

The W3AF, is a Web Application Attack and Audit Framework.
The W3AF core and it's plug-ins are fully written in python.
The project has more than 130 plug-ins, which check for SQL injection,
cross site scripting (XSS), local and remote file inclusion and much more.

SPEC Url: http://rebus.webz.cz/d/w3af.spec
SRPM Url: http://rebus.webz.cz/d/w3af-1.0-0.1.rc3.fc12.src.rpm

Best regards 
Michal Ambroz

Comment 1 Josh Bressers 2010-04-05 11:52:28 UTC
While this package has a security relevance, the Security keyword is for security flaws. I'm removing the keyword.

Thanks for adding this, it should prove useful.

Comment 2 Michal Ambroz 2010-04-06 19:03:53 UTC
This will be long run I guess.

http://lists.fedoraproject.org/pipermail/legal/2010-April/001213.html
Tom "spot" Callaway pointed out that the package as it is could be complicated from the licensing point of view. 
GPLv2 is incompatible with GPLv3. 

Any help with review/comments/suggestions/packing dependencies are welcome.

Comment 3 Till Maas 2010-06-30 14:15:56 UTC
Some issues I found at first sight:

1) the manpage does not need to be gziped manually, this is done automatically by rpm
2) The complex License tag should have a comment explaining why it is that complicated
3) for the locales find-lang.sh should be used (see package guidelines)
4) the correct SF.net download URL is downloads.sourceforge.net/%{name}/%{name}-1.0-rc3.tar.bz2 iirc (see Source guidelines)
5) The patches need comments explaining why they are not upstreamable or if they are, what there upstream status is e.g. a pointer to the upstream tracker with the patch would be good. And please add a date to these comments

If you need detailed URLs to the mentioned guidelines, please ask and I will provide them.

And please provide links to unofficial reviews you performed, if you did some.

Comment 4 Jason Tibbitts 2010-11-17 13:38:45 UTC
Were the licensing issues ever clarified?

Any response to Till's commentary above?  At this point few people will spend time looking at this ticket if you don't respond to existing commentary.


Note You need to log in before you can comment on or make changes to this bug.