Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Feb 2008 22:16:53 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

On Mon, Feb 18, 2008 at 08:56:16AM -0700, Vincent Danen wrote:
> Hmmm... so where's the Openwall vendor info, eh?  <wink wink>  =)

Added.

Earlier today, I wrote:

> >Also, I've noticed what I think is a major issue with the wiki -
> >although it is configured to obfuscate e-mail addresses, it only does so
> >when displaying the latest revision of a page.  Older revisions and page
> >source appear with the e-mail addresses intact, ready to be grabbed by a
> >"spambot".

It turned out that the older revisions were also subject to automated
e-mail address obfuscation, and the reason I got confused was that I was
looking specifically at the welcome page where you did not enter this
list's address in the DokuWiki-supported format right away.  And it only
obfuscates e-mail addresses it recognizes - not anything with an @-sign.
So we need to be very careful about this - e-mail addresses must be
entered as <user@...mple.org> - with the angle brackets.  Anyway, I went
ahead and corrected this in the old revisions for the welcome page
(using VIM on files in the attic) - I hope you don't mind.

As to page source, I've disabled the view source / export raw feature.
Of course, logged in users with page editing rights can view the source
with non-obfuscated e-mail addresses anyway, but let's hope "spambots"
are not that good yet - and at a later time we might want to (or have
to) revoke page editing rights for new user accounts anyway.

> > ... I think that some of the content to add would be list charter for
> >oss-security (Josh?) and official(?) or primary description of
> >vendor-sec.  For the latter, we can take the text from the recently
> >created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
> >have the Wikipedia page backed by the already-public info on our wiki.
> 
> These sound like good ideas to me.  Particularly the bit on vendor-sec.

OK, so who is to create the page on vendor-sec?  It'd be great if the
same people who edited the Wikipedia page would do it, but Steve Kemp
did not join us on this list - and I can't force people to join... OK,
maybe I can ask him about that.

> I think for this to become effective, we need to expose it more

We'll definitely expose the oss-security wiki.  I am going to mention it
in one of Openwall news items and in an announcement list posting.

> and at the same time we can expose vendor-sec a little bit more too.

Yes, this is what will happen, and it appears that vendor-sec members
are either for greater exposure or feel neutral about it.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ