Re: [fossil-users] Show time...
> 1. Enable Safe interpreters for Tcl How did you do that? The flint repository doesn't seem to include the fossil build script. > 2. Enforce that the SSH program cannot be run (by patching popen2() > to return an error) Are you not using chroot to protect repositories from each other? > 3. (Not complete, but started) run each instance of Fossil as a > different UID based on their Flint UID+131072 That's actually the next thing on my TODO list -- I think it's a good idea! > 1. Need to add the domain to the Public Suffix List (otherwise, > you haven't mitigated the issue completely) I think the only security issue left vis-a-vis untrusted subdomains is that a malicious repository can insert thousands of junk cookies, displacing the login cookie on the secure subdomain and thus logging the user out. I think it's a mild annoyance at most. Feel free to contradict me on this. > 2. Getting a wildcard cert I also put it off for the longest time. It turned out to be surprisingly easy to do, and in fact less annoying than http validation. Cheers, Eduard On 06/04/2018 10:37 PM, Roy Keene wrote: Other things we do at ChiselApp: 1. Enable Safe interpreters for Tcl 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 I thought about putting each repo under their own domain, but doing so requires a bit more work: 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) 2. Getting a wildcard cert On Mon, 4 Jun 2018, Eduard wrote: I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). (Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote: There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] 3rd Call For Papers - 25th Annual Tcl/Tk Conference (Tcl'2018)
Hello Fossil Users, fyi ... 25th Annual Tcl/Tk Conference (Tcl'2018) http://www.tcl.tk/community/tcl2018/ October 15 - 19, 2018 Crowne Plaza Houston River Oaks 2712 Southwest Freeway, 77098 Houston, Texas, USA [ Reminder * [Registration is open](https://www.tcl.tk/community/tcl2018/register.html) * [Submission is open](https://www.tcl.tk/community/tcl2018/cfp.html) * Our Keynote speaker is [Andrea Casotto](https://www.tcl.tk/community/tcl2018/bios.html#acasotto) ] Important Dates: Abstracts and proposals due August 20, 2018 Notification to authors August 27, 2018 WIP and BOF reservations open July 23, 2018 ** may change ** Registration opensIS OPEN Author materials due September 24, 2018 Tutorials Start October 15, 2018 Conference starts October 17, 2018 Email Contact:tclconfere...@googlegroups.com Submission of Summaries Tcl/Tk 2018 will be held in Houston, Texas, USA from October 15, 2018 to October 19, 2018. The program committee is asking for papers and presentation proposals from anyone using or developing with Tcl/Tk (and extensions). Past conferences (Proceedings: http://www.tcl.tk/community/conferences.html) have seen submissions covering a wide variety of topics including: * Scientific and engineering applications * Industrial controls * Distributed applications and Network Managment * Object oriented extensions to Tcl/Tk * New widgets for Tk * Simulation and application steering with Tcl/Tk * Tcl/Tk-centric operating environments * Tcl/Tk on small and embedded devices * Medical applications and visualization * Use of different programming paradigms in Tcl/Tk and proposals for new directions. * New areas of exploration for the Tcl/Tk language Submissions should consist of an abstract of about 100 words and a summary of not more than two pages, and should be sent as plain text to tclconfere...@googlegroups.com no later than August 20, 2018. Authors of accepted abstracts will have until September 24, 2018 to submit their final paper for the inclusion in the conference proceedings. The proceedings will be made available on digital media, so extra materials such as presentation slides, code examples, code for extensions etc. are encouraged. Printed proceedings will be produced as an on-demand book at lulu.com Online proceedings will appear via http://www.tcl.tk/community/conferences.html The authors will have 30 minutes to present their paper at the conference. The program committee will review and evaluate papers according to the following criteria: * Quantity and quality of novel content * Relevance and interest to the Tcl/Tk community * Suitability of content for presentation at the conference Proposals may report on commercial or non-commercial systems, but those with only blatant marketing content will not be accepted. Application and experience papers need to strike a balance between background on the application domain and the relevance of Tcl/Tk to the application. Application and experience papers should clearly explain how the application or experience illustrates a novel use of Tcl/Tk, and what lessons the Tcl/Tk community can derive from the application or experience to apply to their own development efforts. Papers accompanied by non-disclosure agreements will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U. S. Copyright Act of 1976. The primary author for each accepted paper will receive registration to the Technical Sessions portion of the conference at a reduced rate. Other Forms of Participation The program committee also welcomes proposals for panel discussions of up to 90 minutes. Proposals should include a list of confirmed panelists, a title and format, and a panel description with position statements from each panelist. Panels should have no more than four speakers, including the panel moderator, and should allow time for substantial interaction with attendees. Panels are not presentations of related research papers. Slots for Works-in-Progress (WIP) presentations and Birds-of-a-Feather sessions (BOFs) are available on a first-come, first-served basis starting in July 23, 2018. Specific instructions for reserving WIP and BOF time slots will be provided in the registration information available in July 23, 2018. Some WIP and BOF time slots will be held open for on-site reservation. All attendees with an interesting work in progress should consider reserving a WIP slot. Registration Information More information on the conference is available the conference Web site (http://www.tcl.tk/community/tcl2018/) and will be published on various Tcl/Tk-related information channels. To keep in touch with news regarding the conference, subscribe to the tclconfere...@googlegroups.com list. See:
Re: [fossil-users] Show time...
Other things we do at ChiselApp: 1. Enable Safe interpreters for Tcl 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 I thought about putting each repo under their own domain, but doing so requires a bit more work: 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) 2. Getting a wildcard cert On Mon, 4 Jun 2018, Eduard wrote: I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). (Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote: There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). (Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote: There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Unnable to merge: Cannot find a common ancestor between the current checkout and ID
On 6/4/18, Richie Adler wrote: > Richard, > > I'm having now the same problem in my repository at > https://chiselapp.com/user/richieadler/repository/axxoneval/ > > I'm trying to merge the branch "mejorasilus" into trunk. When I look at your timeline, I see the "mejorasilus" has already been merged into trunk, and then closed. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Unnable to merge: Cannot find a common ancestor between the current checkout and ID
Richard, I'm having now the same problem in my repository at https://chiselapp.com/user/richieadler/repository/axxoneval/ I'm trying to merge the branch "mejorasilus" into trunk. For "fossil stat" I get [...] checkout: 4541a5d4ba186d49dbc8e2f31ab91796fee90de3 2018-05-30 22:43:54 UTC parent: 0fa7991da7a851e7ab69c8b11217db666d467ef3 2018-05-26 00:20:26 UTC child:6f2cb868897367ce42ef2aeb5283e876bb8fd6eb 2018-06-03 17:30:43 UTC tags: trunk comment: Bugfix: modified_on=request.now al poner a cero las evaluaciones (user: Kilroy) >f merge mejorasilus Autosync: http://richiead...@chiselapp.com/user/richieadler/repository/axxoneval Round-trips: 1 Artifacts sent: 0 received: 0 Pull done, sent: 405 received: 2377 ip: 74.208.146.128 cannot find a common ancestor between the current checkout and mejorasilus >f merge 82494c4441 Autosync: http://richiead...@chiselapp.com/user/richieadler/repository/axxoneval Round-trips: 1 Artifacts sent: 0 received: 0 Pull done, sent: 407 received: 2378 ip: 74.208.146.128 cannot find a common ancestor between the current checkout and 82494c4441 You should be able to access anonymously to the repository... any ideas? Compiled in Windows 7 with MinGW. This is fossil version 2.6 [f39d0a7290] 2018-06-04 19:52:53 UTC ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
On Jun 3, 2018, at 7:28 PM, Richard Hipp wrote: > > So, if anybody sees any last minute tidying up that we need to do to > the website in anticipation of a huge influx of first-time visitors, > please speak up. Quickly. There are several nits to pick on the Fossil vs. Git page: http://fossil-scm.org/index.html/doc/trunk/www/fossil-v-git.wiki I’ve just checked in a few minor fixes to it. One remaining issue that has been noticed before and is still outstanding is that in style.css, the rules for h2 and h3 have their sizes swapped, so that the subordinate header is rendered in a larger font. I believe the simplest fix is that this: .content h2 { font-size: 1.05em; font-weight: bold; } should be: .content h3 { font-size: 1.05em; } That is, we’ve got a simple typo here, h2 -> h3. There is no need to bold the font explicitly, as that’s the default in all sensible browsers, but it’s harmless to include it. If you feel it’s necessary to keep it, it should probably be done in h1 as well for consistency. Another issue, which is much bigger, is that because the section 3 points expand on the summary table, it makes much the same points repeatedly. Sections 3.3, 3.4, and 3.7 could be merged. Additionally, I think this document should explicitly ask the question, “Does your project look more like that of the Linux kernel, or more like that of SQLite?” The comment about the low-friction path addresses this somewhat, but I think the focus should be more on these design decisions’ impact on the end-user experience than on the history that lead to the decisions. I like the summary table, and I like the parallel to it in section 3, so maybe the simplest fix is to reorder these points to group them, then make these three sections 3.3.1, 3.3.2, and 3.3.3, with the superordinate section 3.3 covering the common matters. That in turn would require an h4 level, not something that is currently defined in style.css, but the default stylesheets should include not only that, but also h5. Section 3.6 should mention git-worktree as a partial solution to this relative weakness of Git, but also discuss its unfortunate consequences and remaining weaknesses: https://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg25686.html Section 4.1 repeats much of what’s in section 3. I think you could drop the explanatory paragraph below the first three bold bullet points, as they now need no explanation. I think timeline.rss is worth its own bullet point in section 4.1. It’s not strictly part of Fossil UI; that would be /timeline. In section 4.2, you should mention narrow and shallow clones. Git has them, Fossil doesn’t. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
Is ChiselApp not serious enough for you ? On Sun, 3 Jun 2018, Joseph R. Justice wrote: On Sun, Jun 3, 2018, 9:33 PM Richard Hipp wrote: On 6/3/18, Richard Hipp wrote: > > So, if anybody sees any last minute tidying up that we need to do... For example, on the front page (https://fossil-scm.org/index.html/doc/trunk/www/index.wiki), what if I add some text to item 8 to talk about how Fossil is "Independent and not beholden to venture capitalists". Too snarky? Neither is Git. The Fossil-based competition to GitHub would be, for instance, Chiselapp (IIRC). I dare say that the greatest beneficiary of this stuff is likely to be Gitlab. Is anybody doing any serious for-profit Fossil repository hosting yet? Joseph ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
Adding the full-text-search to the header by default could be helpful; it's nice having repository search close-at-hand in GitHub/GitLab On Mon, Jun 4, 2018 at 2:23 AM, Gour wrote: > On Sun, 3 Jun 2018 20:03:44 -0700 > Jungle Boogie > wrote: > > > This line: > > SQLite project gets excellent 73:1 compression. > > $ fossil dbstat > project-name: Osobne financije > repository-size: 6,873,088 bytes > artifact-count:2,578 (stored as 1,394 full text and 1,184 deltas) > artifact-sizes:3,962,610 average, 13,965,692 max, 10,215,609,449 total > compression-ratio: 1486:1 > check-ins: 1,507 > ... > > :-) > > > Sincerely, > Gour > > -- > You have a right to perform your prescribed duty, but you > are not entitled to the fruits of action. Never consider > yourself the cause of the results of your activities, > and never be attached to not doing your duty. > > > ___ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
On Sun, 3 Jun 2018 20:03:44 -0700 Jungle Boogie wrote: > This line: > SQLite project gets excellent 73:1 compression. $ fossil dbstat project-name: Osobne financije repository-size: 6,873,088 bytes artifact-count:2,578 (stored as 1,394 full text and 1,184 deltas) artifact-sizes:3,962,610 average, 13,965,692 max, 10,215,609,449 total compression-ratio: 1486:1 check-ins: 1,507 ... :-) Sincerely, Gour -- You have a right to perform your prescribed duty, but you are not entitled to the fruits of action. Never consider yourself the cause of the results of your activities, and never be attached to not doing your duty. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users