On Sun, 31 Dec 2017, Robert wrote:
Date: Sun, 31 Dec 2017 09:21:26 +0100
From: Robert <rob...@perl.org>
To: Ask Bjørn Hansen <a...@perl.org>
Cc: Henk P. Penning <penn...@uu.nl>, cpan-workers <cpan-workers@perl.org>
Subject: Re: sponsor logo on home of CPAN mirror
Encouraging mirrors to inject code is a very bad idea from a security
perspective. I agree with Ask that allowing them to inject config is safer
but is still a slippery slope.
Ok ; here is the same thing with a /local/site.json file,
instead of a /local/site.js file :
http://cpan.cs.uu.nl/ondex2.html
View the page's source for javascript code and user instructions.
I think I prefer having local mods confined to "/local/",
and to disallow any other changes.
Regards,
Henk Penning
On Sat, Dec 30, 2017 at 9:58 PM, Ask Bjørn Hansen <a...@perl.org> wrote:
Rather than having it execute javascript that’s locally
modified, maybe we could have it just load some JSON?
I know that the mirror can technically change anything, so this
is not really a technical argument.
I think it’s important to maintain a stance that it’s
unacceptable to change anything (other than this…). Changing a
bit of meta data (a JSON file) seems less slippery slope than
changing a bit of website code.
Ask
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/