Switching http://www.xemacs.org/cgi-bin/ to CVS controlled ~xemacweb/xemacsweb/cgi-bin/ (was: web list search broken)
Adrian.Aichner at t-online.de
Tue Jun 22 15:01:06 EDT 2004
Samuel S Chessman <chessman at tux.org> writes:
> On Fri, 11 Jun 2004, Stephen J. Turnbull wrote:
>> >>>>> "APA" == Adrian Aichner <Adrian.Aichner at t-online.de> writes:
>> APA> Sounds like a good idea in principle, but I don't think we
>> APA> should open our entire cgi-bin for "public review" :-)
>> Security through obscurity? C'mon, Adrian, it's free software. If
>> the bad guys want to get us, they know where to get the source. I've
>> seen some transcripts of conversations on IRC---these guys will use
>> CVS to peel versions off like rings from an onion, looking for bugs
>> until they find one, exploit it, then go searching for sites with that
> That's a side effect of the open source process that we can live with.
> The important point is to identify and correct problems. Security problems
> fall in that category.
Hi Sam, good to hear you have no fundamental reservations!
>> APA> I'm happy to discuss solutions, though.
>> I think we should get an OK from Tux first---I agree that it saves
>> someone who hates XEmacs or Tux some trouble---but really I see no
>> good reason not to have the search code in CVS if we're going to offer
>> CGIs at all.
> It sounds like you are considering putting the search code in CVS
The code is ready for review at
> and are concerned that this will expose gwyn.tux.org to malicious
> access attempts. Considering the large number of services, traffic,
> and people using this system I would like to state the incremental
> risk increase is small and tolerable.
> My recommendation is to go ahead, and look for security problems as
> well as the functional problem currently being addressed.
OK, I intnd to switch over /etc/httpd/conf/xemacs/xemacs.conf
to use the cvs controlled directory and do some testing.
If that goes well I would leave it that way, unless I get reports of
problems or potential problems.
> Perhaps another administrator can comment.
No objections, I guess?
Thanks in advance,
mailto:adrian at xemacs.org
More information about the XEmacs-Beta