Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Feb 2008 08:56:16 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

* [2008-02-18 17:23:28 +0300] Solar Designer wrote:

>> I've setup a few pages to give it some structure and content.
>
>Yes, and I notice that Matthieu has added some more content to the pages
>you had created.  Thanks to both of you!

Hmmm... so where's the Openwall vendor info, eh?  <wink wink>  =)

>Also, I've noticed what I think is a major issue with the wiki -
>although it is configured to obfuscate e-mail addresses, it only does so
>when displaying the latest revision of a page.  Older revisions and page
>source appear with the e-mail addresses intact, ready to be grabbed by a
>"spambot".  I think that we'll need to either fix it in the code (or is
>there a configuration setting I have missed?) or obfuscate e-mail
>addresses manually.  The latter will be of little help for the addresses
>already entered into the wiki as they will remain in the old revisions.

Well, there's maybe a dozen in there and Lord knows the Mandriva
security contact gets more spam than I care to admit.  Those addresses
are pretty public to begin with, so we should either figure out how to
obfuscate the old revisions or do it manually.  I think the dozen or so
addresses that would show up in the old revisions shouldn't be a big
deal (provided we figure/implement something now before it really starts
to get populated).

>> ... setup a redirect on
>> http://oss-security.openwall.org/ so that you get bumped to /wiki/
>> instead of seeing an apache directory listing.
>
>Done.  I've made this a temporary redirect (code 302) such that we can
>replace it with a static page later on (with links to the wiki and to
>non-wiki content that we might add).

Oh good, thanks.

>> Feel free to start adding content.  I think the structure is ok enough
>> to start with, we'll see how it goes from there.  It's pretty
>> straight-forward and should be easy enough to add to (I just added a few
>> links, some pages, etc. but every vendor should be adding their own info
>> there), and others can add content, etc.
>
>Yes.  I think that some of the content to add would be list charter for
>oss-security (Josh?) and official(?) or primary description of
>vendor-sec.  For the latter, we can take the text from the recently
>created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
>have the Wikipedia page backed by the already-public info on our wiki.

These sound like good ideas to me.  Particularly the bit on vendor-sec.
I think for this to become effective, we need to expose it more and at
the same time we can expose vendor-sec a little bit more too.

>> I've also registered #oss-security on Freenode for chatting.
>
>Thanks!  I am a little bit concerned that having an IRC channel might
>result in us having less "permanent" content (on this list and on the
>wiki) as questions will be asked and answered on IRC instead...

You'll always have a smaller subset of people on IRC than on the list
(i.e. right now it's just Josh and I).  I don't think it will replace
the list, but supplement it.  I know for Mandriva, it's good to discuss
things on IRC but more often than not a summary of sorts is sent to the
pertinent ml to let the others (who aren't on IRC, or aren't there at a
particular time, etc.) know what's going on, or wha has been discussed,
etc.

I think a medium like IRC is invaluable for "rapid-response" or
brainstorming.  There's nothing to stop a summation of discussion from
going back to the list for further discussion, but it's really useful
for discussing things to get a quick(er) resolution in some cases.  Or
even just bouncing ideas around.

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.