Re: [CODE4LIB] code4lib.org hosting
Just a reminder, everyone, this conversation is today at 7PM GMT (3PM EDT/Noon PDT) in #code4lib. Hope to see you all there, -Ross. On 7/27/07, Ed Summers [EMAIL PROTECTED] wrote: As you may have seen or experienced code4lib.org is down for the count at the moment because of some hackers^w crackers who compromised anvil and defaced various web content and otherwise messed with the operating system. anvil is a machine that several people in the code4lib community run and pay for themselves. Given that code4lib has grown into a serious little gathering, with lots of effort being expended by the likes of Jeremy Frumkin and Brad LaJenuesse to make things happen -- it seems a shame to let this sort of thing happen. We don't have any evidence, but it seems that the entry point was the fact that various software packages weren't kept up to date. Anyhow, this is a long way of inviting you to a discussion Aug 1st @7PM GMT in irc://chat.freenode.net/code4lib to see what steps need to be taken to help prevent this from happening in the future. Specifically we're going to be talking about moving some of the web applications to institutions that are better set up to manage them. If this interests you at all try to attend! //Ed
Re: [CODE4LIB] executing a cgi script in the middle of a url
Note also that, unless something has changed in more recent releases from MS, if you attempt to use IIS instead of Apache, path_info() in Perl's CGI won't work. My (undirected) approach eventually led me to use mod_rewrite and regular apache AliasMatch and ScriptAliasMatch commands. Example: ___ RewriteEngine on RewriteRule /barcodes/([inosx]?[0-9]+)\.js /cgi-bin/barcode.pl?$1 [E=BARCODE:$1] RewriteRule /names/([A-z]+)\.js /cgi-bin/name.pl?$1[E=BARCODE:$1] AliasMatch ^.*/images/(.*)/var/apache/htdocs/my_app_1/images/$1 AliasMatch ^.*/css/(.*) /var/apache/htdocs/my_app_1/css/$1 ScriptAliasMatch ^.*/cgi-bin/(.*) /var/apache/htdocs/my_app_1/cgi-bin/$1 ___ The bracketed parts at the back end just set the environmental variable BARCODE, strictly optional. --joe
Re: [CODE4LIB] code4lib.org hosting
I look forward to the proposal from OSU that should be mailed out to the list shortly. The discussion that just took place in #code4lib got me thinking. As I see it, the issue here has two parts. First, the machine was cracked, and, second, service hasn't been restored following the attack. The code4lib.org site and its various subdomains have served a community with a variety of needs, many of which require command line access and the ability to install programs and services. Maybe some increased restriction as to who has this access and what may be done with it is called for, but even with greater restriction and more vigilant sysadmins it's likely that the machine will get cracked again at some point. While I hope we'll have a more secure box for code4lib in the future, I'm also excited about plans for a system that can bounce back quicker. In addition to local and remote backups, we could use full mirrors ready for a dns switch. Several mirror host machines were even offered in the discussion. Are there other strategies we might employ to make code4lib.org more resilient? On Fri, Jul 27, 2007 at 05:18:06PM -0400, Ed Summers wrote: As you may have seen or experienced code4lib.org is down for the count at the moment because of some hackers^w crackers who compromised anvil and defaced various web content and otherwise messed with the operating system. anvil is a machine that several people in the code4lib community run and pay for themselves. Given that code4lib has grown into a serious little gathering, with lots of effort being expended by the likes of Jeremy Frumkin and Brad LaJenuesse to make things happen -- it seems a shame to let this sort of thing happen. We don't have any evidence, but it seems that the entry point was the fact that various software packages weren't kept up to date. Anyhow, this is a long way of inviting you to a discussion Aug 1st @7PM GMT in irc://chat.freenode.net/code4lib to see what steps need to be taken to help prevent this from happening in the future. Specifically we're going to be talking about moving some of the web applications to institutions that are better set up to manage them. If this interests you at all try to attend! //Ed
Re: [CODE4LIB] code4lib.org hosting
Gabe, I think the OSU proposal addresses your concerns (having people volunteer redundant servers is also a great idea). The machine that was cracked hasn't bounced back quickly because I'm the only one with physical access to it and I've been on vacation. I'm back and waiting now on getting an access pass (which should be assigned to me tomorrow) so that I can get in and swap out the hard drive (with one with a fresh OS)). We have the backups from Anvil though so movement to a new machine at OSU doesn't really need to wait on anvil at this point. Anvil really was never intended to be a production machine and having Code4Lib hosted at OSU where there is a sysadmin attending to it (and policies about access, what can be installed, etc.) seems to me like it will solve the problems we've had in the past. It was fine letting Code4Lib grow a little in the anvil space, but I think the needs of its community have outgrown anvil (and I think this was the general consensus in the channel today). Thanks to OSU for stepping up and giving us a viable alternative! I know we'll have at least two places willing to mirror the Code4Lib site. The more the merrier though! Kevin On 8/1/07, Gabriel Farrell [EMAIL PROTECTED] wrote: I look forward to the proposal from OSU that should be mailed out to the list shortly. The discussion that just took place in #code4lib got me thinking. As I see it, the issue here has two parts. First, the machine was cracked, and, second, service hasn't been restored following the attack. The code4lib.org site and its various subdomains have served a community with a variety of needs, many of which require command line access and the ability to install programs and services. Maybe some increased restriction as to who has this access and what may be done with it is called for, but even with greater restriction and more vigilant sysadmins it's likely that the machine will get cracked again at some point. While I hope we'll have a more secure box for code4lib in the future, I'm also excited about plans for a system that can bounce back quicker. In addition to local and remote backups, we could use full mirrors ready for a dns switch. Several mirror host machines were even offered in the discussion. Are there other strategies we might employ to make code4lib.org more resilient? On Fri, Jul 27, 2007 at 05:18:06PM -0400, Ed Summers wrote: As you may have seen or experienced code4lib.org is down for the count at the moment because of some hackers^w crackers who compromised anvil and defaced various web content and otherwise messed with the operating system. anvil is a machine that several people in the code4lib community run and pay for themselves. Given that code4lib has grown into a serious little gathering, with lots of effort being expended by the likes of Jeremy Frumkin and Brad LaJenuesse to make things happen -- it seems a shame to let this sort of thing happen. We don't have any evidence, but it seems that the entry point was the fact that various software packages weren't kept up to date. Anyhow, this is a long way of inviting you to a discussion Aug 1st @7PM GMT in irc://chat.freenode.net/code4lib to see what steps need to be taken to help prevent this from happening in the future. Specifically we're going to be talking about moving some of the web applications to institutions that are better set up to manage them. If this interests you at all try to attend! //Ed
Re: [CODE4LIB] code4lib.org hosting
It would be helpful if somebody could post a transcript of this discussion. -Dan
Re: [CODE4LIB] code4lib.org hosting
On 8/1/07, D Chudnov [EMAIL PROTECTED] wrote: Okay, I've read a transcript copy that somebody sent me privately. I have a few concerns that I'm going to voice strongly, and I think they represent questions that need to be answered before I'll be comfortable with any particular plan. It doesn't mean I don't love you. Whatever. There was that night after the Kappa Sig social, but you haven't called since. 1. Why isn't the www.code4lib.org site already back up (at minimum)? When the server became unavailable during c4lc 2007, we were able to restore from offsite backups and have an emergency-mode snapshot live and useful within a matter of a few hours at most. It seems this could have been done within a few days if there had been offsite backups available. Eh, what? We have offsite backups, yes. What we don't have are: 1) anywhere to put them back to 2) a plan to proceed once something is back up 3) the resources to dedicate to get code4lib.org running as it was (temporarily, I might add), as in somebody that has the time to do the work (remember, we didn't even have time to keep it up to date in the first place) 4) a hugely pressing need (we're not, after all, in the middle of the eponymous conference) 2. Are there offsite backups of the www.code4lib.org site - its files and database? Yes, and they live on my machine at work. If the hackers^Wcrackers converge on rsinger.library.gatech.edu tonight, we're sunk. 3. The discussion seemed to only involve one proposal. There wasn't a call for any other proposals, and it wasn't clear to me that by missing this meeting (i was at a gathering with several other people with an interest in anvil and other things c4l) that I would miss out on any opportunity to have input. I'd like to propose a different hosting plan. Shouldn't there be a chance for more discussion here? Who's stopping you? We announced a 'town hall meeting', nobody publicly dissented on the mailing list. We're 'discussing' now, you're complaining but not articulating an alternative. You mentioned ibiblio in channel, but until something tangible is offered, the Oregon State offer meets the 'one in hand is worth two in the bush' criteria. 4. Could somebody please post (to this list) an exact statement of what the current proposal is? Supposedly Jeremy Frumkin, Ryan Ordway, Ed Summers and Kevin Clarke will work this out and announce it publicly. 5. Could somebody please post the transcript to the list? This would be useful. Then my reservations about this decision (which may not seem obvious from this email) could go on public record. I understand that some of these questions might seem to be coming a bit late, and I'm sorry to be in a position where my jerkiness is all the worse because of it. But I still think these are questions that need answers. I don't think anything has been 'decided'. We had a meeting, OSU stepped forward, nobody present objected. www.code4lib.org is still 'down'. -Ross.
Re: [CODE4LIB] okay to post the code4lib.org hosting discussion transcript?
+1 -Ross. On 8/1/07, Gabriel Farrell [EMAIL PROTECTED] wrote: I've got a transcript of the discussion all ready to post if there are no objections. I'll wait until tomorrow afternoon. Gabe
Re: [CODE4LIB] code4lib.org hosting
On 8/1/07, Ross Singer [EMAIL PROTECTED] wrote: 1. Why isn't the www.code4lib.org site already back up (at minimum)? Eh, what? We have offsite backups, yes. What we don't have are: 1) anywhere to put them back to 2) a plan to proceed once something is back up 3) the resources to dedicate to get code4lib.org running as it was (temporarily, I might add), as in somebody that has the time to do the work (remember, we didn't even have time to keep it up to date in the first place) 4) a hugely pressing need (we're not, after all, in the middle of the eponymous conference) 1) we could have found someplace 2) this is a problem either way 3) this is a problem either way 4) a few days' downtime is one thing - a few weeks' is another. 2. Are there offsite backups of the www.code4lib.org site - its files and database? Yes, and they live on my machine at work. Let's set up a second backup of your backup? I'll take a copy, and add another to s3 for safer-keeping. 3. The discussion seemed to only involve one proposal. There wasn't a call for any other proposals, and it wasn't clear to me that by missing this meeting (i was at a gathering with several other people with an interest in anvil and other things c4l) that I would miss out on any opportunity to have input. I'd like to propose a different hosting plan. Shouldn't there be a chance for more discussion here? Who's stopping you? We announced a 'town hall meeting', nobody publicly dissented on the mailing list. We're 'discussing' now, you're complaining but not articulating an alternative. You mentioned ibiblio in channel, but until something tangible is offered, the Oregon State offer meets the 'one in hand is worth two in the bush' criteria. Nobody is stopping me. I was offline all weekend, and busy otherwise, and it wasn't clear to me whether this was a done deal already. I'm not complaining, I'm just seeking clarification. In a complainy-sounding way. I understand that some of these questions might seem to be coming a bit late, and I'm sorry to be in a position where my jerkiness is all the worse because of it. But I still think these are questions that need answers. I don't think anything has been 'decided'. We had a meeting, OSU stepped forward, nobody present objected. www.code4lib.org is still 'down'. I propose that we move hosting of www.code4lib.org to ibiblio if they'll have us. They've been there for 15(+?) years, they are there for exactly this purpose, and they're not for-profit. I've had good luck hosting things there, and they're liberal about accounts, so long as you don't prove to be an idiot. To support this I'd be happy to sign up for support duties. Separately I can bring up an emergency/temporary backup of the www.code4lib.org site if it is not otherwise possible before the end of the week. I'm in transit all day tomorrow, but let me know by first thing friday -Dan
Re: [CODE4LIB] code4lib.org hosting
On 8/1/07, D Chudnov [EMAIL PROTECTED] wrote: Separately I can bring up an emergency/temporary backup of the www.code4lib.org site if it is not otherwise possible before the end of the week. I'm in transit all day tomorrow, but let me know by first thing friday Shoot, sorry, eager ibook touchpad sent that too soon. What I was going to finish was: let me know by first thing friday a.m. if there's a problem bringing the site back up temporarily and I'll re-load the same backup server instance I had before as soon as I can get a copy of the newer data. -Dan