Re: sponsor logo on home of CPAN mirror

[Graham Barr]

> On Dec 31, 2017, at 07:25, Henk P. Penning  wrote:
> 
> 
> I don't see how such a change can be kept local ;
> how can it /not/ propagate to downstream mirrors?

If the JSON file was named using the mirror hostname then index.html can 
extract the name from the URL and it wouldn’t matter if the file was propagated 
downstream

Graham

Re: sponsor logo on home of CPAN mirror

[Leo Lapworth]

On 1 January 2018 at 17:57, Elaine Ashton  wrote:

> On Jan 1, 2018, at 5:20 PM, Henk P. Penning  wrote:
>
>  I don't understand the "slippery slope".
>   Where is the "slope", and why is it "slippery" ?
>  -- the "how to add a sponsor logo/link" has been around for years
>  -- CPAN's home-page already uses javascript
>  How is adding 1 javascript function and 1 empty  a problem?
>  How is it worse than suggesting to users to tinker with /index.html?
>
>
> I think the ‘slope’, from a syseng perspective is trying to solve a
> problem we don’t quite understand which may have far reaching consequences
> we may not want. I think the saying in programming is akin to ‘patch one
> bug and create two new ones.’ ;)
>
> We have always acknowledged the master mirrors, including funet.fi, which
> was a state/edu network who never requested such recognition. Even when I
> ran search.cpan out of WashU and Webster U, neither University requested
> recognition, nor complained about the resource load, which was rather
> substantial, especially since the hardware was donated and we all
> volunteered our time to maintain it. Hardware, storage and network
> resources have become less expensive in the 20 years since that time.
>
> I suppose my point is that, if your concern is that the number of mirrors
> is declining, the problem may be not as simple as offering sites an
> opportunity to add a logo, which may later lead to a demand for
> advertising, which is where the ‘slippery slope’ comes in (at least for
> me). Understanding the reasons why mirrors are leaving and/or doing so in
> shorter periods of time may lead to a better understanding and solution
> than the current suggestion.
>

I _think_ what Henk was getting at is we currently have rules that are not
clear (but DO allow for a logo/link) and currently lead to people doing
things we don't want, I don't think it has anything to do with the number
of mirrors, now metacpan and others use fastly CDN, the concept of a 'near
by' mirror isn't really relevant (though having mirrors is always good for
other reasons!).

Giving a simple framework to add a logo/link (maybe even copy) for the
hosting mirror clarifies these rules.

I agree offering a config file in /local/ is cleaner than adding a
javascript file in /local/ - because that then makes it extra clearer what
is and is not acceptable, and if anyone really cared could then be audited
automatically.

As Henk is probably the best person on the Planet to understand what
Mirrors are doing and what what they want, the .json file feels like a nice
solution.

Hope my thoughts are useful.

Leo

Re: sponsor logo on home of CPAN mirror

[Henk P. Penning]

On Sun, 31 Dec 2017, Elaine Ashton wrote:


Date: Sun, 31 Dec 2017 12:12:06 +0100
From: Elaine Ashton <eash...@mac.com>
To: Henk P. Penning <penn...@uu.nl>
Cc: Elaine -HFB- Ashton <eash...@mac.com>, Robert <rob...@perl.org>,
Ask Bjørn Hansen <a...@perl.org>, cpan-workers <cpan-workers@perl.org>
Subject: Re: sponsor logo on home of CPAN mirror



 Ok ; here is the same thing with a /local/site.json file,
 instead of a /local/site.js file :

   http://cpan.cs.uu.nl/ondex2.html


Hi Elaine,


The entire point of a mirror is that it is an exact duplicate of all others
and the master. 

Whilst I understand that there is a desire to acknowledge the generosity and
resources borne by the host of each mirror, aside from the potential sec
issues and it opening a door for other requests, it bothers me to think that
the anonymity of the network over the decades now needs to be acknowledged
by individual operators which, to my mind, opens the door for advertising,
too. 


  I agree ; I just don't like the current rules, which suggest users
  tamper with "/index.html". I want clean rules and a clean method
  when dealing with (prospective) mirrors.

  I can find only one site that adds a logo ; and it gets it wrong :

http://mirror.easyname.at/cpan/

  ... and then there is crap like :

http://mirror.datacenter.by/pub/CPAN/
http://mirrors.sohu.com/CPAN/
http://mirror.netcologne.de/cpan/
http://cpan.mirror.euserv.net/
http://mirror.de.leaseweb.net/CPAN/
http://ftp.cc.uoc.gr/mirrors/CPAN/
http://mirror.faraso.org/CPAN/
http://ftp.nluug.nl/languages/perl/CPAN/
http://cpan.mirror.anlx.net/ [yellowbot ??]
...


I can’t imagine most mirrors are such a great burden on network resources as
to be needing some kind of remuneration in the form of a logo or
advertising. 


  Well, the number of mirror sites has been dropping steadily,

http://mirrors.cpan.org/stats/hist/

  compensated by 36 metacpan mirrors (CDN). Universities are
  giving up ; managers are cutting costs for non-essential stuff.
  Perhaps a logo here and there is enough to keep mirrors online.


            -=]) elaine ashton // eash...@mac.com // HFB ([=-


  Regards,

  HPP

   _
Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL  F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/

Re: sponsor logo on home of CPAN mirror

[Henk P. Penning]

On Sun, 31 Dec 2017, Robert wrote:


Date: Sun, 31 Dec 2017 09:21:26 +0100
From: Robert <rob...@perl.org>
To: Ask Bjørn Hansen <a...@perl.org>
Cc: Henk P. Penning <penn...@uu.nl>, cpan-workers <cpan-workers@perl.org>
Subject: Re: sponsor logo on home of CPAN mirror

Encouraging mirrors to inject code is a very bad idea from a security
perspective.  I agree with Ask that allowing them to inject config is safer
but is still a slippery slope.


  Ok ; here is the same thing with a /local/site.json file,
  instead of a /local/site.js file :

http://cpan.cs.uu.nl/ondex2.html

  View the page's source for javascript code and user instructions.

  I think I prefer having local mods confined to "/local/",
  and to disallow any other changes.

  Regards,

  Henk Penning


On Sat, Dec 30, 2017 at 9:58 PM, Ask Bjørn Hansen <a...@perl.org> wrote:
  Rather than having it execute javascript that’s locally
  modified, maybe we could have it just load some JSON?

  I know that the mirror can technically change anything, so this
  is not really a technical argument.

  I think it’s important to maintain a stance that it’s
  unacceptable to change anything (other than this…). Changing a
  bit of meta data (a JSON file) seems less slippery slope than
  changing a bit of website code.


  Ask






   _
Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL  F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/

Re: sponsor logo on home of CPAN mirror

[Robert]

Encouraging mirrors to inject code is a very bad idea from a security
perspective.  I agree with Ask that allowing them to inject config is safer
but is still a slippery slope.

On Sat, Dec 30, 2017 at 9:58 PM, Ask Bjørn Hansen  wrote:

> Rather than having it execute javascript that’s locally modified, maybe we
> could have it just load some JSON?
>
> I know that the mirror can technically change anything, so this is not
> really a technical argument.
>
> I think it’s important to maintain a stance that it’s unacceptable to
> change anything (other than this…). Changing a bit of meta data (a JSON
> file) seems less slippery slope than changing a bit of website code.
>
>
> Ask

Re: sponsor logo on home of CPAN mirror

[Henk P. Penning]

On Sun, 31 Dec 2017, Ask Bjørn Hansen wrote:


Date: Sun, 31 Dec 2017 06:58:48 +0100
From: Ask Bjørn Hansen <a...@perl.org>
To: Henk P. Penning <penn...@uu.nl>
Cc: cpan-workers <cpan-workers@perl.org>
Subject: Re: sponsor logo on home of CPAN mirror

Rather than having it execute javascript that’s locally modified,
maybe we could have it just load some JSON?



I know that the mirror can technically change anything, so this is not
really a technical argument.

I think it’s important to maintain a stance that it’s unacceptable to
change anything (other than this…). Changing a bit of meta data (a
JSON file) seems less slippery slope than changing a bit of website
code.


  The idea is that the mirror-operator may add a directory /local/
  and exclude it in the rsync : --exclude /local/.
  That would be the ONLY change that is allowed ; no EXCEPT.
  If applicable, an operator is also required to
  exclude /local/ in his/her rsyncd.conf.

  I think that is a little cleaner than the current rule
  that says that an operator may change /index.html :

 You are not allowed to alter any file
 in you public mirror of CPAN
 EXCEPT
 that you can add a short acknowledgement for example
 for your hosting company, company, university, or sponsor,
 into this CPAN top-level index.html by adding a small
 non-animated image and a hyperlink pointing to your organization
 with text like "hosted by", "powered by", or "sponsored by",
 by placing it visually next to the "CPAN master site hosted by YellowBot"
 acknowledgement at the bottom of the page.
 The image used may not be larger than the one used for the YellowBot logo.
 (Technical sidenote: if you do add an acknowledgement link,
 please do think of the consequences to your possible downstream
 CPAN mirrors.)
 Altering this index.html in any other way is not allowed.
 Altering any other files is not allowed.

  I don't see how such a change can be kept local ;
  how can it /not/ propagate to downstream mirrors?


Ask


  Regards,

  Henk Penning

   _
Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL  F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/

Re: sponsor logo on home of CPAN mirror

[Zefram]

Henk P. Penning wrote:
>  -- add a javascript function "hostedby()"
>  -- add an empty  in the "footer_mirror" section

I certainly approve of only showing the logo to people who run JavaScript.

-zefram