On Fri, Jan 18, 2013 at 3:51 PM, Paul Boddie <p...@boddie.org.uk> wrote: > M.-A. Lemburg wrote: >> On 18.01.2013 19:59, Neil Schemenauer wrote: >> > [PSF list removed] >> > >> > On 2013-01-18, M.-A. Lemburg wrote: >> >> In other words, the backdoor will likely have been open for >> >> several months. >> > >> > My thanks to all the work put in by volunteers. Has there been any >> > consideration given to using different wiki software? It's my >> > impression that MoinMoin has a quite poor record with regard to >> > security: >> > >> > http://moinmo.in/SecurityFixes >> > >> > The abundance of past holes doesn't predict future ones but in >> > general there seems to be a correlation. >> >> I think that's a misinterpretation. MoinMoin is used in a *lot* >> of places and so finding vulnerabilities becomes more attractive >> than for other similar software. > > Agreed. Just because the MoinMoin project has openly published advisories (and > fixed vulnerabilities) doesn't mean that it has a "poor record", or at least > a record that is poorer than other software. I happen to be subscribed to > notifications for MediaWiki, for example, and advisories are regularly > published exhorting users to upgrade in order to fix various issues. > > We could spend substantial effort migrating to something else without any > guarantee of improved security and with substantial inconvenience incurred. > As I noted on a rather tiresome thread on the PSF list, throwing everything > out in order to do things some other, supposedly "better" way is an > unfortunate Python community tendency that we shouldn't indulge. I also think > that using people's software and then abandoning it (and them) when we find > something we don't like about it, instead of offering to improve it, is > counterproductive if not a betrayal of those people.
Speaking of improving it: on Wednesday, the PSF approved a grant to expedite development efforts that the MoinMoin team is putting in to using passlib for their password handling. _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
