Date: Mon, 18 Feb 2008 08:56:16 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

* [2008-02-18 17:23:28 +0300] Solar Designer wrote:

>> I've setup a few pages to give it some structure and content.
>
>Yes, and I notice that Matthieu has added some more content to the pages
>you had created.  Thanks to both of you!

Hmmm... so where's the Openwall vendor info, eh?  <wink wink>  =)

>Also, I've noticed what I think is a major issue with the wiki -
>although it is configured to obfuscate e-mail addresses, it only does so
>when displaying the latest revision of a page.  Older revisions and page
>source appear with the e-mail addresses intact, ready to be grabbed by a
>"spambot".  I think that we'll need to either fix it in the code (or is
>there a configuration setting I have missed?) or obfuscate e-mail
>addresses manually.  The latter will be of little help for the addresses
>already entered into the wiki as they will remain in the old revisions.

Well, there's maybe a dozen in there and Lord knows the Mandriva
security contact gets more spam than I care to admit.  Those addresses
are pretty public to begin with, so we should either figure out how to
obfuscate the old revisions or do it manually.  I think the dozen or so
addresses that would show up in the old revisions shouldn't be a big
deal (provided we figure/implement something now before it really starts
to get populated).

>> ... setup a redirect on
>> http://oss-security.openwall.org/ so that you get bumped to /wiki/
>> instead of seeing an apache directory listing.
>
>Done.  I've made this a temporary redirect (code 302) such that we can
>replace it with a static page later on (with links to the wiki and to
>non-wiki content that we might add).

Oh good, thanks.

>> Feel free to start adding content.  I think the structure is ok enough
>> to start with, we'll see how it goes from there.  It's pretty
>> straight-forward and should be easy enough to add to (I just added a few
>> links, some pages, etc. but every vendor should be adding their own info
>> there), and others can add content, etc.
>
>Yes.  I think that some of the content to add would be list charter for
>oss-security (Josh?) and official(?) or primary description of
>vendor-sec.  For the latter, we can take the text from the recently
>created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
>have the Wikipedia page backed by the already-public info on our wiki.

These sound like good ideas to me.  Particularly the bit on vendor-sec.
I think for this to become effective, we need to expose it more and at
the same time we can expose vendor-sec a little bit more too.

>> I've also registered #oss-security on Freenode for chatting.
>
>Thanks!  I am a little bit concerned that having an IRC channel might
>result in us having less "permanent" content (on this list and on the
>wiki) as questions will be asked and answered on IRC instead...

You'll always have a smaller subset of people on IRC than on the list
(i.e. right now it's just Josh and I).  I don't think it will replace
the list, but supplement it.  I know for Mandriva, it's good to discuss
things on IRC but more often than not a summary of sorts is sent to the
pertinent ml to let the others (who aren't on IRC, or aren't there at a
particular time, etc.) know what's going on, or wha has been discussed,
etc.

I think a medium like IRC is invaluable for "rapid-response" or
brainstorming.  There's nothing to stop a summation of discussion from
going back to the list for further discussion, but it's really useful
for discussing things to get a quick(er) resolution in some cases.  Or
even just bouncing ideas around.

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux