* Aryeh Gregor <[email protected]> [Tue, 5 May 2009 09:22:01 -0400]: > On Tue, May 5, 2009 at 1:51 AM, Dmitriy Sintsov <[email protected]> > wrote: > > In #mediawiki IRC channel I've been told that tgz upload is insecure > > and poses a risk. > > Allowing tgz uploads would allow the upload of arbitrary file formats. > We do not want to do this. For one thing, it's insecure: users might > think it's safe to install a binary executable just because it's from > mediawiki.org, but downloads aren't actually vetted. Noticeably > third-party downloads hopefully will be treated with some more > caution. > > For another thing, allowing archive formats permits the upload of > content we don't want to permit on ideological grounds, or that cannot > be distributed under the GFDL. For instance, binaries without > accompanying source code; or DRM-encumbered data formats; or formats > that are otherwise not open because, for instance, they aren't > specified fully enough to permit full open-source implementations > (e.g., .doc). The first two cases not only are at least arguably > contrary to Wikimedia's mission -- see > http://meta.wikimedia.org/wiki/File_format_policy, although that never > passed AFAIK -- but are probably not legal as long as we're only > allowed to distribute under the GFDL. > > MediaWiki extensions can just have their source code pasted into their > extension pages. This is marginally less convenient, but not by much. > I don't think Wikimedia is going to allow arbitrary file formats to > be uploaded anytime soon (and that's basically what .tgz would > permit). > Pasting the code is suitable only for small extensions, mine is medium-size, has many source files and I can't imagine installing it such way.
I believe there was a trick which would overcome tgz upload restriction - some years ago, I've seen text-format archives inside unix shell scripts, which can be extracted with bash (or maybe even just sh) - probably just MIME decoding then passing to tar/gzip. Then, such file can probably be uploaded with different extension, while at documentation page one would ask to rename and run the file after a download. But anyway, I've choosed a _free_ hosting for my extension, I hope the hoster won't delete it any time soon. Just an external tgz link. Dmitriy _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
