M.-A. Lemburg wrote: > On 18.01.2013 19:59, Neil Schemenauer wrote: > > [PSF list removed] > > > > On 2013-01-18, M.-A. Lemburg wrote: > >> In other words, the backdoor will likely have been open for > >> several months. > > > > My thanks to all the work put in by volunteers. Has there been any > > consideration given to using different wiki software? It's my > > impression that MoinMoin has a quite poor record with regard to > > security: > > > > http://moinmo.in/SecurityFixes > > > > The abundance of past holes doesn't predict future ones but in > > general there seems to be a correlation. > > I think that's a misinterpretation. MoinMoin is used in a *lot* > of places and so finding vulnerabilities becomes more attractive > than for other similar software.
Agreed. Just because the MoinMoin project has openly published advisories (and fixed vulnerabilities) doesn't mean that it has a "poor record", or at least a record that is poorer than other software. I happen to be subscribed to notifications for MediaWiki, for example, and advisories are regularly published exhorting users to upgrade in order to fix various issues. We could spend substantial effort migrating to something else without any guarantee of improved security and with substantial inconvenience incurred. As I noted on a rather tiresome thread on the PSF list, throwing everything out in order to do things some other, supposedly "better" way is an unfortunate Python community tendency that we shouldn't indulge. I also think that using people's software and then abandoning it (and them) when we find something we don't like about it, instead of offering to improve it, is counterproductive if not a betrayal of those people. > I agree, though, that a security audit would probably not > hurt :-) Perhaps they should have one of their GSoC students > run such an audit this summer. > > > Whatever software we use, > > keeping the wiki separated (e.g. in its own VM) is definitely a good > > idea. Anytime you allow remote users to create content the risks > > are high. > > True. I don't want to speculate on what should be done or should have been done because I think the MoinMoin developers do a lot of thankless work supporting their software so that others may freely benefit from it, but there are certainly measures that might be taken to reduce the risk of running this and other Web applications. > Let's not overreact :-) Without the incident we would still be under > the assumption that we have backups for everything... > > It also shows that we have to make a few enhancement to the way > we do logging; but that's going to be a new thread. I think the way forward is to be constructive and to consider how the Wiki can enhance what the complete python.org site offers and how we can be sure that it operates in a way that can be considered acceptable. If that involves spending time and effort on improving the software, then we should encourage that to happen through whatever reasonable means we have at our disposal. Paul _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
