Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Feb 2008 10:06:33 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

* [2008-02-18 22:16:53 +0300] Solar Designer wrote:

>> >Also, I've noticed what I think is a major issue with the wiki -
>> >although it is configured to obfuscate e-mail addresses, it only does so
>> >when displaying the latest revision of a page.  Older revisions and page
>> >source appear with the e-mail addresses intact, ready to be grabbed by a
>> >"spambot".
>
>It turned out that the older revisions were also subject to automated
>e-mail address obfuscation, and the reason I got confused was that I was
>looking specifically at the welcome page where you did not enter this
>list's address in the DokuWiki-supported format right away.  And it only
>obfuscates e-mail addresses it recognizes - not anything with an @-sign.
>So we need to be very careful about this - e-mail addresses must be
>entered as <user@...mple.org> - with the angle brackets.  Anyway, I went
>ahead and corrected this in the old revisions for the welcome page
>(using VIM on files in the attic) - I hope you don't mind.

Nope, I don't mind.  That was before I was looking at the docuwiki
syntax, I'm sure.

>As to page source, I've disabled the view source / export raw feature.
>Of course, logged in users with page editing rights can view the source
>with non-obfuscated e-mail addresses anyway, but let's hope "spambots"
>are not that good yet - and at a later time we might want to (or have
>to) revoke page editing rights for new user accounts anyway.

That's a good idea.  I don't know if docuwiki supports moderated
membership, but if it does, we should keep that in mind and possibly
enable that in the future to prevent things like spambots or others to
hijack pages.

>> > ... I think that some of the content to add would be list charter for
>> >oss-security (Josh?) and official(?) or primary description of
>> >vendor-sec.  For the latter, we can take the text from the recently
>> >created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
>> >have the Wikipedia page backed by the already-public info on our wiki.
>> 
>> These sound like good ideas to me.  Particularly the bit on vendor-sec.
>
>OK, so who is to create the page on vendor-sec?  It'd be great if the
>same people who edited the Wikipedia page would do it, but Steve Kemp
>did not join us on this list - and I can't force people to join... OK,
>maybe I can ask him about that.

I believe he's joined, although I didn't see a page about vendor-sec
yet.

>> I think for this to become effective, we need to expose it more
>
>We'll definitely expose the oss-security wiki.  I am going to mention it
>in one of Openwall news items and in an announcement list posting.

I've mentioned it on my personal blog and will probably send a notice to
the Mandriva security-discuss mailing list to let our users know about
it as well.

>> and at the same time we can expose vendor-sec a little bit more too.
>
>Yes, this is what will happen, and it appears that vendor-sec members
>are either for greater exposure or feel neutral about it.

That's good to hear (I didn't think anyone would be against and it
neutral is ok).

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.