Please don't take it personally: I don't know Peter I don't know you (For sure I'd like to change this if you come to France) I still get a mixed feeling about Twiki (especially about its security)
But if I recall correctly, Peter is usually not trying to hide security holes, but rather let some time to the user (via the ML) to apply some patch. So may be it's not as black as you believe (maybe just gray :-) ) If twiki appears to be the best choice for most of the people, maybe we should all consider it on a pragmatic way. Arnaud > -----Message d'origine----- > De : Michael Holzt [mailto:[EMAIL PROTECTED] > Envoyé : jeudi 4 janvier 2007 16:35 > À : [email protected] > Objet : Re: Future of the wiki in 2007? > > > I guess I would vote for Twiki if we were changing. > > Sorry, twiki isn't going to be installed on _any_ machine controlled by > me. twiki has a bad history of (overly stupid!) security incidents and > its main developer (Peter Thoeny) has reacted very unfriendly and also > unprofessional to people reporting such issues. > > I was involved in a case where lots of machines were owned because of a > very stupid hole in twiki (doing shell execs with unfiltered user input, > OUCH!). It turned out, that Peter already knew about this hole for DAYS, > but decided to sit on it for some more days while pondering what to do > now. He planned to write an advisory, but this was due to be published > ONLY on to a twiki-users mailinglist, but not to the general public... > > Some friend of mine discovered the hole by analyzing the logs of a owned > machine. An advisory was written (took under 30 minutes) and published > (after Peter was contacted and acknowledged this). Shortly after this, > a machine of a friend of Peter was owned and then suddenly Peter blamed > US because we made the knowledge about the hole public... > > So, sorry, but i won't install software from a author who keeps blatant > security holes secret by purpose. > > > Regards > Michael > > -- > It's an insane world, but i'm proud to be a part of it. -- Bill > Hicks This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
