On 18.01.2013 19:59, Neil Schemenauer wrote: > [PSF list removed] > > On 2013-01-18, M.-A. Lemburg wrote: >> In other words, the backdoor will likely have been open for >> several months. > > My thanks to all the work put in by volunteers. Has there been any > consideration given to using different wiki software? It's my > impression that MoinMoin has a quite poor record with regard to > security: > > http://moinmo.in/SecurityFixes > > The abundance of past holes doesn't predict future ones but in > general there seems to be a correlation.
I think that's a misinterpretation. MoinMoin is used in a *lot* of places and so finding vulnerabilities becomes more attractive than for other similar software. I agree, though, that a security audit would probably not hurt :-) Perhaps they should have one of their GSoC students run such an audit this summer. > Whatever software we use, > keeping the wiki separated (e.g. in its own VM) is definitely a good > idea. Anytime you allow remote users to create content the risks > are high. True. Let's not overreact :-) Without the incident we would still be under the assumption that we have backups for everything... It also shows that we have to make a few enhancement to the way we do logging; but that's going to be a new thread. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 18 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-01-22: Python Meeting Duesseldorf ... 4 days to go ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www