Switching http://www.xemacs.org/cgi-bin/ to CVS controlled ~xemacweb/xemacsweb/cgi-bin/ (was: web list search broken)
Adrian Aichner
Adrian.Aichner at t-online.de
Tue Jun 22 15:01:06 EDT 2004
Samuel S Chessman <chessman at tux.org> writes:
> On Fri, 11 Jun 2004, Stephen J. Turnbull wrote:
>
>> >>>>> "APA" == Adrian Aichner <Adrian.Aichner at t-online.de> writes:
>>
>> APA> Sounds like a good idea in principle, but I don't think we
>> APA> should open our entire cgi-bin for "public review" :-)
>>
>> Security through obscurity? C'mon, Adrian, it's free software. If
>> the bad guys want to get us, they know where to get the source. I've
>> seen some transcripts of conversations on IRC---these guys will use
>> CVS to peel versions off like rings from an onion, looking for bugs
>> until they find one, exploit it, then go searching for sites with that
>> version.
>
> That's a side effect of the open source process that we can live with.
> The important point is to identify and correct problems. Security problems
> fall in that category.
Hi Sam, good to hear you have no fundamental reservations!
>
>>
>> APA> I'm happy to discuss solutions, though.
>>
>> I think we should get an OK from Tux first---I agree that it saves
>> someone who hates XEmacs or Tux some trouble---but really I see no
>> good reason not to have the search code in CVS if we're going to offer
>> CGIs at all.
>
> It sounds like you are considering putting the search code in CVS
Exactly.
The code is ready for review at
http://cvs.xemacs.org/viewcvs.cgi/XEmacs/xemacsweb/cgi-bin/
> and are concerned that this will expose gwyn.tux.org to malicious
> access attempts. Considering the large number of services, traffic,
> and people using this system I would like to state the incremental
> risk increase is small and tolerable.
Good.
> My recommendation is to go ahead, and look for security problems as
> well as the functional problem currently being addressed.
OK, I intnd to switch over /etc/httpd/conf/xemacs/xemacs.conf
to use the cvs controlled directory and do some testing.
If that goes well I would leave it that way, unless I get reports of
problems or potential problems.
>
> Perhaps another administrator can comment.
No objections, I guess?
> Sam
Thanks in advance,
Adrian
--
Adrian Aichner
mailto:adrian at xemacs.org
http://www.xemacs.org/
More information about the XEmacs-Beta
mailing list