On Fri, Jun 22, 2007 at 10:28:52AM -0700, David Roundy wrote: > On Fri, Jun 15, 2007 at 07:58:19PM -0700, Simon Michael wrote: > > David, Jason, thanks for your work on this! > > > > I'd like to watch the patches as they go by and try to learn more. David, I > > wonder if it might be possible to set up darcsweb[1] on darcs.net ? I think > > it makes browsing more pleasant, and therefore would encourage new > > developers (as well as old ones). I'm cc'ing OSUOSL as I hear they might be > > the ones maintaining the site. I run darcsweb myself and would donate some > > time if it would help. > > It took less than a minute to set up (wonders of debian...), so darcsweb is > up now, although there aren't any links to it (could you submit a patch?). > It's at http://darcs.net/darcsweb.
Having done this (perhaps a little late), I'd be more comfortable if we were to perform a security audit of darcsweb. It's doing something inherently dangerous (calling darcs with possibly hostile input), and I'd rather not allow that without some degree of confidence that it's done safely. Particularly as by using darcsweb we could be viewed as endorsing it, and I don't want to endorse something that could compromise folk's servers. Do you think someone familiar with darcsweb (or just python) could put together a complete table of scenarios in which darcs may be called, and what kind of input might be passed to it? If so, I would be happy (perhaps after my honeymoon is over...) to look over it for calls that could potentially be dangerous. -- David Roundy Department of Physics Oregon State University _______________________________________________ darcs-devel mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-devel
