On Tue, 26 Jun 2007 13:33:35 -0700 Micah Cowan <[EMAIL PROTECTED]> wrote:
hi micah, > The GNU Project has appointed me as the new maintainer for wget, to fill > the shoes that Mauro Tortonesi is leaving. I am very excited to be able > to take part in the development of such a terrific and useful tool. I've > certainly found it very helpful on many occasions. congratulations on your appointment as the new wget maintainer. i hope you'll have more time to dedicate to wget than i did so far, and i am sure you'll bring a lot of enthusiasm and new energies in the wget community. > I have had the opportunity to go over most of the wget source code, and > the last couple of years' worth of mailing list archives. This has given > me a fairly good sense of where the project is, and where it could be > going. I already have some ideas of some of the things I would like to > see happen; many of them are already in the current TODO file. I've also > assigned rough priorities (my own) to things I've seen in the TODO file, > or bugs that have been reported on-list. Ideally, I'd like to start > using a bug tracker to handle these; reading from the list, I know that > this was Mauro's desire as well. Has consideration been given to using > Savannah for this purpose? yes, we definitely need a bug tracker. > Being that we seem to be very close to a release, I do not want to make > a bunch of sudden changes, either to current processes or to the current > plans for the imminent release. However, there are a couple of small > items that I feel should absolutely be resolved before 1.11 is released > officially: > > - Wget should not be attempting basic authentication before it > receives a challenge (which could be digest or what have you). This is a > security issue. i am not so sure this is a critical point. as hrvoje pointed out, basic authentication is definitely the most used authentication mechanism on the web, so changing the current policy to perform digest authentication first and use basic authentication as a failover might result in a perfomance penalty. in addition, both basic and digest authentication are meant to be used in https only. in fact, while digest authentication does not send the password in clear text over the wire, it certainly does not protect from MiM attacks. wrt digest authentication, it would be nice to have it work for proxy connections as well. so far, wget supports only basic authentication for HTTP proxies (no NTLM authentication either). > - There was a report to the mailing list that user:pass information > was being sent in the Referer header. I didn't see any further activity > on that thread, and haven't yet had the opportunity to confirm this; it > may be an old, fixed issue. However, if it's true, I would consider this > to be a show-stopper. yes, we need to check that. > I expect that both of these issues would require very small effort to > resolve. don't be so sure about it ;-) > Also, GNU maintainers have been asked to move all packages to version 3 > of the GPL, which will be released on Friday the 29th. Ideally, > maintainers have been asked to coincide releases with the license > updates with the release of GPLv3; I don't think this is feasible in our > case. Barring that, we have been asked to get such a release out by > end-of-July. I'm not certain whether 1.11 will be ready in time; in that > case, we could probably issue a 1.10.3 with only the licensing change. IMVHO, the code in the trunk is ready to be released. -- Mauro Tortonesi <[EMAIL PROTECTED]>
