Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Feb 2008 22:16:53 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

On Mon, Feb 18, 2008 at 08:56:16AM -0700, Vincent Danen wrote:
> Hmmm... so where's the Openwall vendor info, eh?  <wink wink>  =)

Added.

Earlier today, I wrote:

> >Also, I've noticed what I think is a major issue with the wiki -
> >although it is configured to obfuscate e-mail addresses, it only does so
> >when displaying the latest revision of a page.  Older revisions and page
> >source appear with the e-mail addresses intact, ready to be grabbed by a
> >"spambot".

It turned out that the older revisions were also subject to automated
e-mail address obfuscation, and the reason I got confused was that I was
looking specifically at the welcome page where you did not enter this
list's address in the DokuWiki-supported format right away.  And it only
obfuscates e-mail addresses it recognizes - not anything with an @-sign.
So we need to be very careful about this - e-mail addresses must be
entered as <user@...mple.org> - with the angle brackets.  Anyway, I went
ahead and corrected this in the old revisions for the welcome page
(using VIM on files in the attic) - I hope you don't mind.

As to page source, I've disabled the view source / export raw feature.
Of course, logged in users with page editing rights can view the source
with non-obfuscated e-mail addresses anyway, but let's hope "spambots"
are not that good yet - and at a later time we might want to (or have
to) revoke page editing rights for new user accounts anyway.

> > ... I think that some of the content to add would be list charter for
> >oss-security (Josh?) and official(?) or primary description of
> >vendor-sec.  For the latter, we can take the text from the recently
> >created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
> >have the Wikipedia page backed by the already-public info on our wiki.
> 
> These sound like good ideas to me.  Particularly the bit on vendor-sec.

OK, so who is to create the page on vendor-sec?  It'd be great if the
same people who edited the Wikipedia page would do it, but Steve Kemp
did not join us on this list - and I can't force people to join... OK,
maybe I can ask him about that.

> I think for this to become effective, we need to expose it more

We'll definitely expose the oss-security wiki.  I am going to mention it
in one of Openwall news items and in an announcement list posting.

> and at the same time we can expose vendor-sec a little bit more too.

Yes, this is what will happen, and it appears that vendor-sec members
are either for greater exposure or feel neutral about it.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.