From piotr at tynecki.pl  Wed Jan  2 01:55:34 2013
From: piotr at tynecki.pl (Piotr Tynecki)
Date: Wed, 2 Jan 2013 01:55:34 +0100
Subject: [pydotorg-www] DjangoCon Europe 2013 - update conferences and
	workshops list
Message-ID: <CAOdyDDLbLcsaVCP0ywKog0NGn5fdRn_3HdhOacE3-stdC1BS3A@mail.gmail.com>

To whom it may concern,

My name is Piotr Tynecki. I am the Polish Python Coders
Group<http://pl.python.org/> founder
and DjangoCon Europe <http://2013.djangocon.eu/> volunteer.

It will be possible to add a link to the DjangoCon Europe conference
on *Conferences
and Workshops list*?

http://www.python.org/community/workshops/

Thanking you for your time and assistance.

Yours faithfully,
Piotr Tynecki

-- 
*Piotr Tynecki*
piotr at tynecki.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130102/652c918c/attachment.html>

From aahz at pythoncraft.com  Wed Jan  2 02:26:03 2013
From: aahz at pythoncraft.com (Aahz)
Date: Tue, 1 Jan 2013 17:26:03 -0800
Subject: [pydotorg-www] DjangoCon Europe 2013 - update conferences and
 workshops list
In-Reply-To: <CAOdyDDLbLcsaVCP0ywKog0NGn5fdRn_3HdhOacE3-stdC1BS3A@mail.gmail.com>
References: <CAOdyDDLbLcsaVCP0ywKog0NGn5fdRn_3HdhOacE3-stdC1BS3A@mail.gmail.com>
Message-ID: <20130102012602.GA19059@panix.com>

On Wed, Jan 02, 2013, Piotr Tynecki wrote:
> 
> My name is Piotr Tynecki. I am the Polish Python Coders
> Group<http://pl.python.org/> founder
> and DjangoCon Europe <http://2013.djangocon.eu/> volunteer.
> 
> It will be possible to add a link to the DjangoCon Europe conference
> on *Conferences
> and Workshops list*?
> 
> http://www.python.org/community/workshops/

Done!  Note that I used http://djangocon.eu/ -- this page is supposed to
be generic links.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From aahz at pythoncraft.com  Wed Jan  2 15:48:54 2013
From: aahz at pythoncraft.com (Aahz)
Date: Wed, 2 Jan 2013 06:48:54 -0800
Subject: [pydotorg-www] Site rebuild: 2013
Message-ID: <20130102144853.GA21129@panix.com>

I've updated the copyright, someone with full build permission needs to
login and kick one off.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From stefan at drees.name  Sun Jan  6 12:33:47 2013
From: stefan at drees.name (Stefan Drees)
Date: Sun, 06 Jan 2013 12:33:47 +0100
Subject: [pydotorg-www] Is someone working on restore of the wiki?
Message-ID: <50E9611B.70300@drees.name>

Dear web team,

since spurious reports on python/moin cause not working links etc seem 
to pile up, is someone actually working on restoring the moinmoin wiki?

 From my access point python.org shows up, but the wiki is giving 
http://wiki.python.org/moin/ HTTP/404 Not found.

All the best,
Stefan.

From sheep at sheep.art.pl  Sun Jan  6 13:20:03 2013
From: sheep at sheep.art.pl (Radomir Dopieralski)
Date: Sun, 6 Jan 2013 13:20:03 +0100
Subject: [pydotorg-www] Is someone working on restore of the wiki?
In-Reply-To: <50E9611B.70300@drees.name>
References: <50E9611B.70300@drees.name>
Message-ID: <CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>

On Sun, Jan 6, 2013 at 12:33 PM, Stefan Drees <stefan at drees.name> wrote:
> Dear web team,
>
> since spurious reports on python/moin cause not working links etc seem to
> pile up, is someone actually working on restoring the moinmoin wiki?
>
> From my access point python.org shows up, but the wiki is giving
> http://wiki.python.org/moin/ HTTP/404 Not found.

As soon as I saw the reports I logged into the server to see what
happened and wehether it's some simple configuration or permission
issue that I could fix easily.
Unfortunately, all the wiki files are missing from the server.
Either they have been deleted, or a remote filesystem got disconnected
(I don't remember how they were stored).
Since I don't have access to the remote filesystems or backups, I left it alone.
-- 
Radomir Dopieralski, http://sheep.art.pl

From rosuav at gmail.com  Sun Jan  6 13:22:36 2013
From: rosuav at gmail.com (Chris Angelico)
Date: Sun, 6 Jan 2013 23:22:36 +1100
Subject: [pydotorg-www] Is someone working on restore of the wiki?
In-Reply-To: <CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>
References: <50E9611B.70300@drees.name>
	<CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>
Message-ID: <CAPTjJmqpWM9GHA1x-CKyTr9kL4h6YH_cy5A_fHM6f_72r42qWg@mail.gmail.com>

On Sun, Jan 6, 2013 at 11:20 PM, Radomir Dopieralski <sheep at sheep.art.pl> wrote:
> On Sun, Jan 6, 2013 at 12:33 PM, Stefan Drees <stefan at drees.name> wrote:
>> Dear web team,
>>
>> since spurious reports on python/moin cause not working links etc seem to
>> pile up, is someone actually working on restoring the moinmoin wiki?
>>
>> From my access point python.org shows up, but the wiki is giving
>> http://wiki.python.org/moin/ HTTP/404 Not found.
>
> As soon as I saw the reports I logged into the server to see what
> happened and wehether it's some simple configuration or permission
> issue that I could fix easily.
> Unfortunately, all the wiki files are missing from the server.
> Either they have been deleted, or a remote filesystem got disconnected
> (I don't remember how they were stored).
> Since I don't have access to the remote filesystems or backups, I left it alone.

It's apparently been taken offline for security reasons:

http://mail.python.org/pipermail/python-list/2013-January/637983.html

ChrisA

From sheep at sheep.art.pl  Sun Jan  6 23:32:02 2013
From: sheep at sheep.art.pl (Radomir Dopieralski)
Date: Sun, 6 Jan 2013 23:32:02 +0100
Subject: [pydotorg-www] Is someone working on restore of the wiki?
In-Reply-To: <CAPTjJmqpWM9GHA1x-CKyTr9kL4h6YH_cy5A_fHM6f_72r42qWg@mail.gmail.com>
References: <50E9611B.70300@drees.name>
	<CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>
	<CAPTjJmqpWM9GHA1x-CKyTr9kL4h6YH_cy5A_fHM6f_72r42qWg@mail.gmail.com>
Message-ID: <CAJ2VPS0PvSqjHJ+At3yiLtkVXWKfNpFJWrO+Uafb7OOQyjAfWg@mail.gmail.com>

On Sun, Jan 6, 2013 at 1:22 PM, Chris Angelico <rosuav at gmail.com> wrote:
> On Sun, Jan 6, 2013 at 11:20 PM, Radomir Dopieralski <sheep at sheep.art.pl> wrote:
>> On Sun, Jan 6, 2013 at 12:33 PM, Stefan Drees <stefan at drees.name> wrote:
>>> Dear web team,
>>>
>>> since spurious reports on python/moin cause not working links etc seem to
>>> pile up, is someone actually working on restoring the moinmoin wiki?
>>>
>>> From my access point python.org shows up, but the wiki is giving
>>> http://wiki.python.org/moin/ HTTP/404 Not found.
>>
>> As soon as I saw the reports I logged into the server to see what
>> happened and wehether it's some simple configuration or permission
>> issue that I could fix easily.
>> Unfortunately, all the wiki files are missing from the server.
>> Either they have been deleted, or a remote filesystem got disconnected
>> (I don't remember how they were stored).
>> Since I don't have access to the remote filesystems or backups, I left it alone.
>
> It's apparently been taken offline for security reasons:
>
> http://mail.python.org/pipermail/python-list/2013-January/637983.html

So, any chance of an official statement about what is happening?
Why was nobody informed about this?
If it's a security problem with MoinMoin, then 1.9.6 that fixes it is
out since some time.

-- 
Radomir Dopieralski, http://sheep.art.pl

From michael at voidspace.org.uk  Sun Jan  6 23:40:11 2013
From: michael at voidspace.org.uk (Michael Foord)
Date: Sun, 6 Jan 2013 22:40:11 +0000
Subject: [pydotorg-www] Is someone working on restore of the wiki?
In-Reply-To: <CAJ2VPS0PvSqjHJ+At3yiLtkVXWKfNpFJWrO+Uafb7OOQyjAfWg@mail.gmail.com>
References: <50E9611B.70300@drees.name>
	<CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>
	<CAPTjJmqpWM9GHA1x-CKyTr9kL4h6YH_cy5A_fHM6f_72r42qWg@mail.gmail.com>
	<CAJ2VPS0PvSqjHJ+At3yiLtkVXWKfNpFJWrO+Uafb7OOQyjAfWg@mail.gmail.com>
Message-ID: <98D1BFCC-833A-438B-BE90-A7A98020ED52@voidspace.org.uk>


On 6 Jan 2013, at 22:32, Radomir Dopieralski <sheep at sheep.art.pl> wrote:

> On Sun, Jan 6, 2013 at 1:22 PM, Chris Angelico <rosuav at gmail.com> wrote:
>> On Sun, Jan 6, 2013 at 11:20 PM, Radomir Dopieralski <sheep at sheep.art.pl> wrote:
>>> On Sun, Jan 6, 2013 at 12:33 PM, Stefan Drees <stefan at drees.name> wrote:
>>>> Dear web team,
>>>> 
>>>> since spurious reports on python/moin cause not working links etc seem to
>>>> pile up, is someone actually working on restoring the moinmoin wiki?
>>>> 
>>>> From my access point python.org shows up, but the wiki is giving
>>>> http://wiki.python.org/moin/ HTTP/404 Not found.
>>> 
>>> As soon as I saw the reports I logged into the server to see what
>>> happened and wehether it's some simple configuration or permission
>>> issue that I could fix easily.
>>> Unfortunately, all the wiki files are missing from the server.
>>> Either they have been deleted, or a remote filesystem got disconnected
>>> (I don't remember how they were stored).
>>> Since I don't have access to the remote filesystems or backups, I left it alone.
>> 
>> It's apparently been taken offline for security reasons:
>> 
>> http://mail.python.org/pipermail/python-list/2013-January/637983.html
> 
> So, any chance of an official statement about what is happening?
> Why was nobody informed about this?
> If it's a security problem with MoinMoin, then 1.9.6 that fixes it is
> out since some time.
> 


I've not heard any word that it was officially "taken offline". It did go down shortly after we received the security warning, but the only person who has mentioned working on this on any of the official channels is Radomir!

The wiki has been down for some time now.

Michael

> -- 
> Radomir Dopieralski, http://sheep.art.pl
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-www
> 


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing 
http://www.sqlite.org/different.html






From techtonik at gmail.com  Mon Jan  7 00:01:50 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Mon, 7 Jan 2013 02:01:50 +0300
Subject: [pydotorg-www] Is someone working on restore of the wiki?
In-Reply-To: <CAJ2VPS0PvSqjHJ+At3yiLtkVXWKfNpFJWrO+Uafb7OOQyjAfWg@mail.gmail.com>
References: <50E9611B.70300@drees.name>
	<CAJ2VPS0jgoV4UScRF7DZ_i_w787gnf-TnZXUHo4dpEohdOPjkQ@mail.gmail.com>
	<CAPTjJmqpWM9GHA1x-CKyTr9kL4h6YH_cy5A_fHM6f_72r42qWg@mail.gmail.com>
	<CAJ2VPS0PvSqjHJ+At3yiLtkVXWKfNpFJWrO+Uafb7OOQyjAfWg@mail.gmail.com>
Message-ID: <CAPkN8xKR-ZZ=makrQpHoge05UKZUAwWgJWAupGhwzAxROLpDfQ@mail.gmail.com>

On Mon, Jan 7, 2013 at 1:32 AM, Radomir Dopieralski <sheep at sheep.art.pl>wrote:

> On Sun, Jan 6, 2013 at 1:22 PM, Chris Angelico <rosuav at gmail.com> wrote:
> > On Sun, Jan 6, 2013 at 11:20 PM, Radomir Dopieralski <sheep at sheep.art.pl>
> wrote:
> >> On Sun, Jan 6, 2013 at 12:33 PM, Stefan Drees <stefan at drees.name>
> wrote:
> >>> Dear web team,
> >>>
> >>> since spurious reports on python/moin cause not working links etc seem
> to
> >>> pile up, is someone actually working on restoring the moinmoin wiki?
> >>>
> >>> From my access point python.org shows up, but the wiki is giving
> >>> http://wiki.python.org/moin/ HTTP/404 Not found.
> >>
> >> As soon as I saw the reports I logged into the server to see what
> >> happened and wehether it's some simple configuration or permission
> >> issue that I could fix easily.
> >> Unfortunately, all the wiki files are missing from the server.
> >> Either they have been deleted, or a remote filesystem got disconnected
> >> (I don't remember how they were stored).
> >> Since I don't have access to the remote filesystems or backups, I left
> it alone.
> >
> > It's apparently been taken offline for security reasons:
> >
> > http://mail.python.org/pipermail/python-list/2013-January/637983.html
>
> So, any chance of an official statement about what is happening?
> Why was nobody informed about this?
> If it's a security problem with MoinMoin, then 1.9.6 that fixes it is
> out since some time.


The impact is unknown. If there are no people in infrastructure@ who can
handle this, then community should know to forward security audit request
to appropriate response team.
-- 
anatoly t.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130107/faca220d/attachment-0001.html>

From mal at egenix.com  Thu Jan 10 11:00:30 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 10 Jan 2013 11:00:30 +0100
Subject: [pydotorg-www] Fwd: python.org page descriptions
In-Reply-To: <D7B4AA5D-87BD-4233-B4B1-A897166E140B@voidspace.org.uk>
References: <CAL6_Gk38_wbHh8Sa_aAwd9Ot_DPQWAAB_xcPspZPoOi8K92Hhw@mail.gmail.com>
	<D7B4AA5D-87BD-4233-B4B1-A897166E140B@voidspace.org.uk>
Message-ID: <50EE913E.6030200@egenix.com>

I've modified the build.py to use the title as default for keywords
and description. Not ideal, but still better than "None".

The next site rebuild should fix the problem.

On 31.12.2012 16:29, Michael Foord wrote:
> 
> 
> Begin forwarded message:
> 
>> From: Lance E Sloan <lsloan at umich.edu>
>> Subject: python.org page descriptions
>> Date: 21 December 2012 14:49:54 GMT
>> To: webmaster at python.org
>>
>> Today I wanted to +1 this page on Google+:
>>
>>  http://www.python.org/getit/mac/
>>
>> When I clicked the +1 button (using a Google+ extension for Chrome on
>> Mac OS X), it said the description of the page was:
>>
>>  None
>>
>> Looking at the source of the page, I see:
>>
>>  <meta name="description" content="None" />
>>
>> You should either put descriptions on the Python website pages or
>> remove these meta tags altogether, because this makes posts about
>> python.org on Google+ (and probably other services) look silly.
>>
>> --
>> Lance E Sloan, Application Developer
>> Univ. of Michigan, Info. and Tech. Services, AIS AMP
>> http://www.its.umich.edu/
>> ** Get free online disk space from Dropbox:
>> ** https://www.dropbox.com/spacerace?r=NTQ3OTQ2Njk5
>>
> 
> 
> --
> http://www.voidspace.org.uk/
> 
> 
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing 
> http://www.sqlite.org/different.html
> 
> 
> 
> 
> 
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-www
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 10 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                 12 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From michael at voidspace.org.uk  Thu Jan 10 11:03:32 2013
From: michael at voidspace.org.uk (Michael Foord)
Date: Thu, 10 Jan 2013 10:03:32 +0000
Subject: [pydotorg-www] Fwd: python.org page descriptions
In-Reply-To: <50EE913E.6030200@egenix.com>
References: <CAL6_Gk38_wbHh8Sa_aAwd9Ot_DPQWAAB_xcPspZPoOi8K92Hhw@mail.gmail.com>
	<D7B4AA5D-87BD-4233-B4B1-A897166E140B@voidspace.org.uk>
	<50EE913E.6030200@egenix.com>
Message-ID: <25328D9D-6FBE-46F9-BC63-F3F623B91D76@voidspace.org.uk>


On 10 Jan 2013, at 10:00, "M.-A. Lemburg" <mal at egenix.com> wrote:

> I've modified the build.py to use the title as default for keywords
> and description. Not ideal, but still better than "None".
> 
> The next site rebuild should fix the problem.
> 

Brilliant - thanks for this Marc-Andre.

Michael

> On 31.12.2012 16:29, Michael Foord wrote:
>> 
>> 
>> Begin forwarded message:
>> 
>>> From: Lance E Sloan <lsloan at umich.edu>
>>> Subject: python.org page descriptions
>>> Date: 21 December 2012 14:49:54 GMT
>>> To: webmaster at python.org
>>> 
>>> Today I wanted to +1 this page on Google+:
>>> 
>>> http://www.python.org/getit/mac/
>>> 
>>> When I clicked the +1 button (using a Google+ extension for Chrome on
>>> Mac OS X), it said the description of the page was:
>>> 
>>> None
>>> 
>>> Looking at the source of the page, I see:
>>> 
>>> <meta name="description" content="None" />
>>> 
>>> You should either put descriptions on the Python website pages or
>>> remove these meta tags altogether, because this makes posts about
>>> python.org on Google+ (and probably other services) look silly.
>>> 
>>> --
>>> Lance E Sloan, Application Developer
>>> Univ. of Michigan, Info. and Tech. Services, AIS AMP
>>> http://www.its.umich.edu/
>>> ** Get free online disk space from Dropbox:
>>> ** https://www.dropbox.com/spacerace?r=NTQ3OTQ2Njk5
>>> 
>> 
>> 
>> --
>> http://www.voidspace.org.uk/
>> 
>> 
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing 
>> http://www.sqlite.org/different.html
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> pydotorg-www mailing list
>> pydotorg-www at python.org
>> http://mail.python.org/mailman/listinfo/pydotorg-www
>> 
> 
> -- 
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source  (#1, Jan 10 2013)
>>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2013-01-22: Python Meeting Duesseldorf ...                 12 days to go
> 
> ::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
> 
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/
> 


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing 
http://www.sqlite.org/different.html






From frank at python.org  Tue Jan 15 23:00:19 2013
From: frank at python.org (Frank Wierzbicki)
Date: Tue, 15 Jan 2013 14:00:19 -0800
Subject: [pydotorg-www] Wiki news?
Message-ID: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>

Just checking to see what is known about the Python and Jython wiki. I
know about the breach and I know that everything was deleted. Is the
content recoverable? Does anyone know when there will be some update
on when/whether the wikis will reappear?

I really do appreciate all of the hard work that goes into supporting
the infrastructure, so I hope no one reads this as impatience. I just
want to be able to pass on any info to the Jython folks that had
content on the wiki. There's always the wayback machine to get some of
it back if things are as bad as they could be...

-Frank

From michael at voidspace.org.uk  Tue Jan 15 23:05:35 2013
From: michael at voidspace.org.uk (Michael Foord)
Date: Tue, 15 Jan 2013 22:05:35 +0000
Subject: [pydotorg-www] Wiki news?
In-Reply-To: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
Message-ID: <A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>


On 15 Jan 2013, at 22:00, Frank Wierzbicki <frank at python.org> wrote:

> Just checking to see what is known about the Python and Jython wiki. I
> know about the breach and I know that everything was deleted. Is the
> content recoverable? Does anyone know when there will be some update
> on when/whether the wikis will reappear?

There has been no word on progress, ETA, or anything else. Sorry.

Michael

> 
> I really do appreciate all of the hard work that goes into supporting
> the infrastructure, so I hope no one reads this as impatience. I just
> want to be able to pass on any info to the Jython folks that had
> content on the wiki. There's always the wayback machine to get some of
> it back if things are as bad as they could be...
> 
> -Frank
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-www
> 


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing 
http://www.sqlite.org/different.html






From jnoller at gmail.com  Tue Jan 15 23:42:46 2013
From: jnoller at gmail.com (Jesse Noller)
Date: Tue, 15 Jan 2013 17:42:46 -0500
Subject: [pydotorg-www] [Infrastructure]  Wiki news?
In-Reply-To: <A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
Message-ID: <DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>

Noah has a new VM ready to go, however it has old information on it. Marc-Andre is working on recovering more recent versions of the content

On Jan 15, 2013, at 5:05 PM, Michael Foord <michael at voidspace.org.uk> wrote:

> 
> On 15 Jan 2013, at 22:00, Frank Wierzbicki <frank at python.org> wrote:
> 
>> Just checking to see what is known about the Python and Jython wiki. I
>> know about the breach and I know that everything was deleted. Is the
>> content recoverable? Does anyone know when there will be some update
>> on when/whether the wikis will reappear?
> 
> There has been no word on progress, ETA, or anything else. Sorry.
> 
> Michael
> 
>> 
>> I really do appreciate all of the hard work that goes into supporting
>> the infrastructure, so I hope no one reads this as impatience. I just
>> want to be able to pass on any info to the Jython folks that had
>> content on the wiki. There's always the wayback machine to get some of
>> it back if things are as bad as they could be...
>> 
>> -Frank
>> _______________________________________________
>> pydotorg-www mailing list
>> pydotorg-www at python.org
>> http://mail.python.org/mailman/listinfo/pydotorg-www
> 
> 
> --
> http://www.voidspace.org.uk/
> 
> 
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing 
> http://www.sqlite.org/different.html
> 
> 
> 
> 
> 
> ________________________________________________
> Infrastructure mailing list
> Infrastructure at python.org
> http://mail.python.org/mailman/listinfo/infrastructure
> Unsubscribe: http://mail.python.org/mailman/options/infrastructure/jnoller%40gmail.com

From fwierzbicki at gmail.com  Wed Jan 16 00:00:15 2013
From: fwierzbicki at gmail.com (fwierzbicki at gmail.com)
Date: Tue, 15 Jan 2013 15:00:15 -0800
Subject: [pydotorg-www] [Infrastructure]  Wiki news?
In-Reply-To: <DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
Message-ID: <CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>

On Tue, Jan 15, 2013 at 2:42 PM, Jesse Noller <jnoller at gmail.com> wrote:
> Noah has a new VM ready to go, however it has old information on it. Marc-Andre is working on recovering more recent versions of the content
>

Thanks for the update! This must have been horribly stressful. :(

-Frank

From greg at krypto.org  Wed Jan 16 00:52:49 2013
From: greg at krypto.org (Gregory P. Smith)
Date: Tue, 15 Jan 2013 15:52:49 -0800
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
Message-ID: <CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>

Indeed, thanks for all the work Marc-Andre and everyone else!

fwiw, archive.org has a reasonably recent copy of a crawl of the site:

http://web.archive.org/web/20121127091219/http://wiki.python.org/moin/

Turning that back into mysterious wiki markup and applying changes as
updates on top of whenever the backup was from if it was indeed older than
that is likely to be a lot of work.  I'll be happy with whatever you're
able to recover however you're doing it regardless.

-gps


On Tue, Jan 15, 2013 at 3:00 PM, fwierzbicki at gmail.com <
fwierzbicki at gmail.com> wrote:

> On Tue, Jan 15, 2013 at 2:42 PM, Jesse Noller <jnoller at gmail.com> wrote:
> > Noah has a new VM ready to go, however it has old information on it.
> Marc-Andre is working on recovering more recent versions of the content
> >
>
> Thanks for the update! This must have been horribly stressful. :(
>
> -Frank
> _______________________________________________
> PSF-Members mailing list
> PSF-Members at python.org
> http://mail.python.org/mailman/listinfo/psf-members
> PSF home page (http://www.python.org/psf/)
> PSF membership FAQ (http://www.python.org/psf/membership/)
> PSF members' wiki (http://wiki.python.org/psf/)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130115/f85ce6c4/attachment.html>

From jnoller at gmail.com  Wed Jan 16 01:00:53 2013
From: jnoller at gmail.com (Jesse Noller)
Date: Tue, 15 Jan 2013 19:00:53 -0500
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
Message-ID: <41D62D03-3F93-49A2-B373-5E3AD576E3B9@gmail.com>

That conversion is under way afaik

On Jan 15, 2013, at 6:52 PM, "Gregory P. Smith" <greg at krypto.org> wrote:

> Indeed, thanks for all the work Marc-Andre and everyone else!
> 
> fwiw, archive.org has a reasonably recent copy of a crawl of the site:
> 
> http://web.archive.org/web/20121127091219/http://wiki.python.org/moin/
> 
> Turning that back into mysterious wiki markup and applying changes as updates on top of whenever the backup was from if it was indeed older than that is likely to be a lot of work.  I'll be happy with whatever you're able to recover however you're doing it regardless.
> 
> -gps
> 
> 
> On Tue, Jan 15, 2013 at 3:00 PM, fwierzbicki at gmail.com <fwierzbicki at gmail.com> wrote:
>> On Tue, Jan 15, 2013 at 2:42 PM, Jesse Noller <jnoller at gmail.com> wrote:
>> > Noah has a new VM ready to go, however it has old information on it. Marc-Andre is working on recovering more recent versions of the content
>> >
>> 
>> Thanks for the update! This must have been horribly stressful. :(
>> 
>> -Frank
>> _______________________________________________
>> PSF-Members mailing list
>> PSF-Members at python.org
>> http://mail.python.org/mailman/listinfo/psf-members
>> PSF home page (http://www.python.org/psf/)
>> PSF membership FAQ (http://www.python.org/psf/membership/)
>> PSF members' wiki (http://wiki.python.org/psf/)
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130115/2ed5879a/attachment-0001.html>

From mal at egenix.com  Wed Jan 16 09:08:15 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Wed, 16 Jan 2013 09:08:15 +0100
Subject: [pydotorg-www] Wiki news?
In-Reply-To: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
Message-ID: <50F65FEF.6050303@egenix.com>

On 15.01.2013 23:00, Frank Wierzbicki wrote:
> Just checking to see what is known about the Python and Jython wiki. I
> know about the breach and I know that everything was deleted. Is the
> content recoverable? Does anyone know when there will be some update
> on when/whether the wikis will reappear?
> 
> I really do appreciate all of the hard work that goes into supporting
> the infrastructure, so I hope no one reads this as impatience. I just
> want to be able to pass on any info to the Jython folks that had
> content on the wiki. There's always the wayback machine to get some of
> it back if things are as bad as they could be...

Those updates have been posted to the infrastructure list.

I'm working on the recovery together with Reimar Bauer and
Thomas Waldmann (both MoinMoin devs).

Here's an update I sent to the board list yesterday:

"""
I've managed to extract all of the data available archive.org for
the public wikis (the latest version of each page). I'm now
looking into merging this data with the more recent, but incomplete
data from Yahoo/Bing archives. The Google archive could not be used
due to a surge protection they have on their site.

Once this is merged, Reimar will put the HTML files through
a converter that generates wiki markup.

However, before setting up the new VM with the recovered data,
we want to have a closer look at the VM image file Noah made available
yesterday.

>From a first inspection it does contain traces of the wiki files
and even the most recently updated ones from the board
agenda page.

Esp. for the PSF wiki this data is important, since we don't
have any other cache or archive to check.

If we're successful, we can then create a dump of all the recovered
data in wiki format to be loaded back into the archive from
end of June 2012.
"""

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 16 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mal at egenix.com  Wed Jan 16 09:26:58 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Wed, 16 Jan 2013 09:26:58 +0100
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
Message-ID: <50F66452.1060601@egenix.com>

On 16.01.2013 00:52, Gregory P. Smith wrote:
> Indeed, thanks for all the work Marc-Andre and everyone else!
> 
> fwiw, archive.org has a reasonably recent copy of a crawl of the site:
> 
> http://web.archive.org/web/20121127091219/http://wiki.python.org/moin/
> 
> Turning that back into mysterious wiki markup and applying changes as
> updates on top of whenever the backup was from if it was indeed older than
> that is likely to be a lot of work.  I'll be happy with whatever you're
> able to recover however you're doing it regardless.

I've been able to recover the pages from archive.org and have also
tried Google cache (which failed due to limits on the number of
allowed requests) and Yahoo/Bing cache. The latter worked, but
only returns a small fraction of the pages we have had in the wiki -
about 300+ pages. They are more recent than the archive.org ones,
though, so I'm trying to merge the Yahoo archive ones back into the
archive.org recovery.

I recovered around 4500 pages from archive.org... in HTML. Reimar
has a tool to convert them back into wiki markup, which we'll
try to use to prepare an import.

Meanwhile I'm also trying to see whether we can still extract some
data from the broken VM image. It does show traces of the wiki
file contents, so the data still exists on the image in some
form. Noah already tried extundelete with no success. I'm going
to give some of the other tools a try as well, e.g. ext4magic
or PhotoRec.

> -gps
> 
> 
> On Tue, Jan 15, 2013 at 3:00 PM, fwierzbicki at gmail.com <
> fwierzbicki at gmail.com> wrote:
> 
>> On Tue, Jan 15, 2013 at 2:42 PM, Jesse Noller <jnoller at gmail.com> wrote:
>>> Noah has a new VM ready to go, however it has old information on it.
>> Marc-Andre is working on recovering more recent versions of the content
>>>
>>
>> Thanks for the update! This must have been horribly stressful. :(
>>
>> -Frank
>> _______________________________________________
>> PSF-Members mailing list
>> PSF-Members at python.org
>> http://mail.python.org/mailman/listinfo/psf-members
>> PSF home page (http://www.python.org/psf/)
>> PSF membership FAQ (http://www.python.org/psf/membership/)
>> PSF members' wiki (http://wiki.python.org/psf/)
>>
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 16 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mal at egenix.com  Wed Jan 16 09:44:00 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Wed, 16 Jan 2013 09:44:00 +0100
Subject: [pydotorg-www] Wiki news?
In-Reply-To: <50F65FEF.6050303@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<50F65FEF.6050303@egenix.com>
Message-ID: <50F66850.6000801@egenix.com>

Related to this:

Since I don't think we can recover more data from the available caches,
it may be a good time to redirect the wiki.python.org URL
to a page explaining the problem - perhaps just the blog post at:

http://pyfound.blogspot.de/2013/01/wikipythonorg-compromised.html

Could someone take care to this ?

Thanks.

On 16.01.2013 09:08, M.-A. Lemburg wrote:
> On 15.01.2013 23:00, Frank Wierzbicki wrote:
>> Just checking to see what is known about the Python and Jython wiki. I
>> know about the breach and I know that everything was deleted. Is the
>> content recoverable? Does anyone know when there will be some update
>> on when/whether the wikis will reappear?
>>
>> I really do appreciate all of the hard work that goes into supporting
>> the infrastructure, so I hope no one reads this as impatience. I just
>> want to be able to pass on any info to the Jython folks that had
>> content on the wiki. There's always the wayback machine to get some of
>> it back if things are as bad as they could be...
> 
> Those updates have been posted to the infrastructure list.
> 
> I'm working on the recovery together with Reimar Bauer and
> Thomas Waldmann (both MoinMoin devs).
> 
> Here's an update I sent to the board list yesterday:
> 
> """
> I've managed to extract all of the data available archive.org for
> the public wikis (the latest version of each page). I'm now
> looking into merging this data with the more recent, but incomplete
> data from Yahoo/Bing archives. The Google archive could not be used
> due to a surge protection they have on their site.
> 
> Once this is merged, Reimar will put the HTML files through
> a converter that generates wiki markup.
> 
> However, before setting up the new VM with the recovered data,
> we want to have a closer look at the VM image file Noah made available
> yesterday.
> 
>>From a first inspection it does contain traces of the wiki files
> and even the most recently updated ones from the board
> agenda page.
> 
> Esp. for the PSF wiki this data is important, since we don't
> have any other cache or archive to check.
> 
> If we're successful, we can then create a dump of all the recovered
> data in wiki format to be loaded back into the archive from
> end of June 2012.
> """
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 16 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From techtonik at gmail.com  Wed Jan 16 15:34:50 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Wed, 16 Jan 2013 17:34:50 +0300
Subject: [pydotorg-www] [Infrastructure]  Wiki news?
In-Reply-To: <50F66850.6000801@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<50F65FEF.6050303@egenix.com> <50F66850.6000801@egenix.com>
Message-ID: <CAPkN8x+aCmeXK+X4mp5a-tPHVOHC+20O+SeBjzM3heYfwE4pNQ@mail.gmail.com>

On Wed, Jan 16, 2013 at 11:44 AM, M.-A. Lemburg <mal at egenix.com> wrote:

> Related to this:
>
> Since I don't think we can recover more data from the available caches,
> it may be a good time to redirect the wiki.python.org URL
> to a page explaining the problem - perhaps just the blog post at:
>
> http://pyfound.blogspot.de/2013/01/wikipythonorg-compromised.html


It is not clear why this announcement is not on http://python.org/
Not many wiki users are subscribed to pyfound blog.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130116/e65cfaef/attachment.html>

From sdeibel at wingware.com  Wed Jan 16 16:05:23 2013
From: sdeibel at wingware.com (Stephan Deibel)
Date: Wed, 16 Jan 2013 10:05:23 -0500
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <50F66452.1060601@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com>
Message-ID: <50F6C1B3.1080100@wingware.com>

M.-A. Lemburg wrote:
> I've been able to recover the pages from archive.org and have also
> tried Google cache (which failed due to limits on the number of
> allowed requests) and Yahoo/Bing cache. The latter worked, but
> only returns a small fraction of the pages we have had in the wiki -
> about 300+ pages. They are more recent than the archive.org ones,
> though, so I'm trying to merge the Yahoo archive ones back into the
> archive.org recovery.
>
> I recovered around 4500 pages from archive.org... in HTML. Reimar
> has a tool to convert them back into wiki markup, which we'll
> try to use to prepare an import.
>
> Meanwhile I'm also trying to see whether we can still extract some
> data from the broken VM image. It does show traces of the wiki
> file contents, so the data still exists on the image in some
> form. Noah already tried extundelete with no success. I'm going
> to give some of the other tools a try as well, e.g. ext4magic
> or PhotoRec.

Phew, sounds like fun... thanks for everyone's work on this!

Can someone explain (to PSF members list) how it ended up that there 
were no backups?  I'm not trying to put anyone on the spot, just trying 
to (a) understand how this happened, making it so hard to recover, and 
(b) make sure that python.org and other important resources _are_ being 
backed up in a way that prevents this kind of thing from taking down 
services for a long time.

Thanks,

- Stephan


From jnoller at gmail.com  Wed Jan 16 16:30:21 2013
From: jnoller at gmail.com (Jesse Noller)
Date: Wed, 16 Jan 2013 10:30:21 -0500
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <50F6C1B3.1080100@wingware.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F6C1B3.1080100@wingware.com>
Message-ID: <255BE7F4256C4D19B666DE01F3A50B14@gmail.com>



On Wednesday, January 16, 2013 at 10:05 AM, Stephan Deibel wrote:

> M.-A. Lemburg wrote:
> > I've been able to recover the pages from archive.org (http://archive.org) and have also
> > tried Google cache (which failed due to limits on the number of
> > allowed requests) and Yahoo/Bing cache. The latter worked, but
> > only returns a small fraction of the pages we have had in the wiki -
> > about 300+ pages. They are more recent than the archive.org (http://archive.org) ones,
> > though, so I'm trying to merge the Yahoo archive ones back into the
> > archive.org (http://archive.org) recovery.
> > 
> > I recovered around 4500 pages from archive.org (http://archive.org)... in HTML. Reimar
> > has a tool to convert them back into wiki markup, which we'll
> > try to use to prepare an import.
> > 
> > Meanwhile I'm also trying to see whether we can still extract some
> > data from the broken VM image. It does show traces of the wiki
> > file contents, so the data still exists on the image in some
> > form. Noah already tried extundelete with no success. I'm going
> > to give some of the other tools a try as well, e.g. ext4magic
> > or PhotoRec.
> 
> 
> 
> Phew, sounds like fun... thanks for everyone's work on this!
> 
> Can someone explain (to PSF members list) how it ended up that there 
> were no backups? I'm not trying to put anyone on the spot, just trying 
> to (a) understand how this happened, making it so hard to recover, and 
> (b) make sure that python.org (http://python.org) and other important resources _are_ being 
> backed up in a way that prevents this kind of thing from taking down 
> services for a long time.
> 
> Thanks,
> 
> - Stephan

Noah can expand on this as Infrastructure lead, but the short version is this - last year we got some beefy donations and hosting form OSU/OSL - this allows us to run our own VM infrastructure and isolate/spin up new servers at will (which is great). We've been slowly migrating the old services to the new systems.

Our backups are currently handled via donated services to Tummy.com - in the transition, one of the things which had to be done was update those backups to point to the new virtual machines. This happened for some of the more "mission critical" virtual machines, but unfortunately one of the machines which fell through the cracks was the wiki machine, which hosts not just one Moin instance - but every single wiki the PSF hosts (including the members wiki, etc). 

Due to this, when the server was compromised, and the data deleted sometime around the 28th of december due to a 0 day exploit in Moin Moin, we lost all data from the move to OSU. 

We have coordinated with Noah, Sean at Tummy, etc to ensure all VMs hosted at the new setup are on a vigorous backup regime (offsite via Tummy). In addition to this, Noah is deploying an on site backup system / coordinating with OSU to ensure we have secondary / on site backups of everything.

This ultimately comes down to a miscommunication/miss on our part, and we are examining ways to backfill our volunteer team with paid services and leveraging the services OSU offers to ensure we have good backups, support and other things we may lack today.

Thanks go out to Noah for identifying and triaging the issue as best as possible and for Marc-Andre and others for looking to recover what they can from the compromised virtual machine and web archives.

All of our infrastructure is managed by Chef (https://github.com/coderanger/psf-chef/tree/master/roles) and Ganeti at OSU. 

Currently being backed up are:

virt-l4es2w.psf.osuosl.org
virt-gwhg4e.psf.osuosl.org
virt-wdiwcy.psf.osuosl.org
virt-sxw5uy.psf.osuosl.org
virt-oku3tm.psf.osuosl.org
virt-h669vt.psf.osuosl.org
virt-wzmlmm.psf.osuosl.org
virt-ys0nco.psf.osuosl.org
virt-7yvsjn.psf.osuosl.org
virt-k4b2sa.psf.osuosl.org
virt-ozvw2q.psf.osuosl.org
virt-8joqck.psf.osuosl.org
virt-et2yi0.psf.osuosl.org



This also includes "non PSF" assets such as PyPy assets we are now hosting for free. As I said, this is both a combination of communication issues and volunteer load. The board is examining paid backup/leads where needed and/or leveraging OSU's services and administration.

Jesse Noller
Director, Python Software Foundation
Chair, PyCon 2013 - http://us.pycon.org
jnoller at gmail.com / jnoller at python.org
+1 617-877-9135




From mmueller at python-academy.de  Wed Jan 16 16:33:39 2013
From: mmueller at python-academy.de (mmueller at python-academy.de)
Date: Wed, 16 Jan 2013 16:33:39 +0100
Subject: [pydotorg-www] Adding User Group Calendar to home page
Message-ID: <20130116163339.Horde.Zrsba1QvoipQ9shTLKSj0rA@webmail.your-server.de>

Hi web team,

Since the dates of Python events are split between the events calendar  
and the user group
group calendar it makes sense to add both to the python.org home page.
While the events calendar appears in left column, the user group  
calendar does not.

It would be nice to have the user group calendar there, just below and  
in the same style.

This is the link for the iframe

"https://www.google.com/calendar/embed?src=3haig2m9msslkpf2tn1h56nn9g%40group.calendar.google.com"

Thanks,
Mike




From mal at egenix.com  Wed Jan 16 16:37:41 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Wed, 16 Jan 2013 16:37:41 +0100
Subject: [pydotorg-www] Adding User Group Calendar to home page
In-Reply-To: <20130116163339.Horde.Zrsba1QvoipQ9shTLKSj0rA@webmail.your-server.de>
References: <20130116163339.Horde.Zrsba1QvoipQ9shTLKSj0rA@webmail.your-server.de>
Message-ID: <50F6C945.5000202@egenix.com>

On 16.01.2013 16:33, mmueller at python-academy.de wrote:
> Hi web team,
> 
> Since the dates of Python events are split between the events calendar and the user group
> group calendar it makes sense to add both to the python.org home page.
> While the events calendar appears in left column, the user group calendar does not.
> 
> It would be nice to have the user group calendar there, just below and in the same style.
> 
> This is the link for the iframe
> 
> "https://www.google.com/calendar/embed?src=3haig2m9msslkpf2tn1h56nn9g%40group.calendar.google.com"

Hi Mike,

this was done on purpose, since we first wanted to see whether the
user events clutter up the calendar too much. That doesn't appear to be
the case, so it may be a good idea to add it as extra calendar box on the
sidebar.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 16 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From aahz at pythoncraft.com  Wed Jan 16 17:12:57 2013
From: aahz at pythoncraft.com (Aahz)
Date: Wed, 16 Jan 2013 08:12:57 -0800
Subject: [pydotorg-www] FWD: wiki down notice moved
Message-ID: <20130116161257.GA6996@panix.com>

Marc-Andre,

I have no objection to a news item, but I think the wiki being down is
important enough that it should also stay at the top of the page,
webmaster is getting constant pings about it.  Is there some reason you
removed it from the top?

Thanks,
Aahz


----- Forwarded message from "marc-andre.lemburg" <pydotorg-checkins at python.org> -----

> Date: Wed, 16 Jan 2013 16:32:04 +0100 (CET)
> From: "marc-andre.lemburg" <pydotorg-checkins at python.org>
> To: pydotorg-checkins at python.org
> Subject: [Pydotorg-checkins] r14559 - trunk/beta.python.org/build/data
> Reply-To: pydotorg at python.org
> 
> Author: marc-andre.lemburg
> Date: Wed Jan 16 16:32:04 2013
> New Revision: 14559
> 
> Modified:
>    trunk/beta.python.org/build/data/content.ht
>    trunk/beta.python.org/build/data/newsindex.yml
> Log:
> Turn the wiki down notice into a news item.
> 
> 
> 
> Modified: trunk/beta.python.org/build/data/content.ht
> ==============================================================================
> --- trunk/beta.python.org/build/data/content.ht	(original)
> +++ trunk/beta.python.org/build/data/content.ht	Wed Jan 16 16:32:04 2013
> @@ -62,9 +62,6 @@
>        PyKyra http://www.alobbs.com/pykyra
>        3D Rendering http://www.vrplumber.com/py3d.py
>  
> -Note: the Python wiki is currently down as of 2013-01-05
> -(`<http://wiki.python.org/moin/>`__), we will post more details later.
> -
>  **Python is a programming language that lets you work more quickly and
>  integrate your systems more effectively. You can learn to use Python
>  and see almost immediate gains in productivity and lower maintenance
> 
> Modified: trunk/beta.python.org/build/data/newsindex.yml
> ==============================================================================
> --- trunk/beta.python.org/build/data/newsindex.yml	(original)
> +++ trunk/beta.python.org/build/data/newsindex.yml	Wed Jan 16 16:32:04 2013
> @@ -6,6 +6,10 @@
>  global:
>    news:
>     -
> +    pubDate: Mon, 7 January 2013, 20:00 +0200
> +    title: "http://wiki.python.org taken down for recovery"
> +    description: !rest "The Python wiki has been taken offline for recovery operations. Please see the `PSF blog <http://pyfound.blogspot.com/>`__ for details and updates."
> +   -
>      pubDate: Sat, 29 September 2012, 18:00 +0200
>      title: "Python 3.3.0 released"
>      description: !rest "`Python 3.3.0 </download/releases/3.3.0/>`__ has been released."
> _______________________________________________
> Pydotorg-checkins mailing list
> Pydotorg-checkins at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-checkins

----- End forwarded message -----

-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From sdeibel at wingware.com  Wed Jan 16 17:13:32 2013
From: sdeibel at wingware.com (Stephan Deibel)
Date: Wed, 16 Jan 2013 11:13:32 -0500
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <255BE7F4256C4D19B666DE01F3A50B14@gmail.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F6C1B3.1080100@wingware.com>
	<255BE7F4256C4D19B666DE01F3A50B14@gmail.com>
Message-ID: <50F6D1AC.4030907@wingware.com>

Jesse Noller wrote:
> Noah can expand on this as Infrastructure lead, but the short version is this - last year we got some beefy donations and hosting form OSU/OSL - this allows us to run our own VM infrastructure and isolate/spin up new servers at will (which is great). We've been slowly migrating the old services to the new systems.
> ...
> This also includes "non PSF" assets such as PyPy assets we are now hosting for free. As I said, this is both a combination of communication issues and volunteer load. The board is examining paid backup/leads where needed and/or leveraging OSU's services and administration.

Great, thanks.  I figured you were already on top of looking at what the 
PSF can do, but it seemed worth bringing up.

Would it make sense to develop an infrastructure policy with a set of 
requirements for infrastructure?  Then the PSF could pay someone (or 
appoint someone) to review everything periodically to make sure there 
are working audited backups, security patches, security scans, and 
whatever else is required by the policy.  I don't know if that's too 
bureaucratic but I'd support it as a way to use PSF funds.

- Stephan


From mal at egenix.com  Wed Jan 16 17:14:59 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Wed, 16 Jan 2013 17:14:59 +0100
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <20130116161257.GA6996@panix.com>
References: <20130116161257.GA6996@panix.com>
Message-ID: <50F6D203.90901@egenix.com>

On 16.01.2013 17:12, Aahz wrote:
> Marc-Andre,
> 
> I have no objection to a news item, but I think the wiki being down is
> important enough that it should also stay at the top of the page,
> webmaster is getting constant pings about it.  Is there some reason you
> removed it from the top?

Just to avoid duplication. We can readd it if you like.

BTW: Isn't there some CSS to a highlight the notice in some way ?

> Thanks,
> Aahz
> 
> 
> ----- Forwarded message from "marc-andre.lemburg" <pydotorg-checkins at python.org> -----
> 
>> Date: Wed, 16 Jan 2013 16:32:04 +0100 (CET)
>> From: "marc-andre.lemburg" <pydotorg-checkins at python.org>
>> To: pydotorg-checkins at python.org
>> Subject: [Pydotorg-checkins] r14559 - trunk/beta.python.org/build/data
>> Reply-To: pydotorg at python.org
>>
>> Author: marc-andre.lemburg
>> Date: Wed Jan 16 16:32:04 2013
>> New Revision: 14559
>>
>> Modified:
>>    trunk/beta.python.org/build/data/content.ht
>>    trunk/beta.python.org/build/data/newsindex.yml
>> Log:
>> Turn the wiki down notice into a news item.
>>
>>
>>
>> Modified: trunk/beta.python.org/build/data/content.ht
>> ==============================================================================
>> --- trunk/beta.python.org/build/data/content.ht	(original)
>> +++ trunk/beta.python.org/build/data/content.ht	Wed Jan 16 16:32:04 2013
>> @@ -62,9 +62,6 @@
>>        PyKyra http://www.alobbs.com/pykyra
>>        3D Rendering http://www.vrplumber.com/py3d.py
>>  
>> -Note: the Python wiki is currently down as of 2013-01-05
>> -(`<http://wiki.python.org/moin/>`__), we will post more details later.
>> -
>>  **Python is a programming language that lets you work more quickly and
>>  integrate your systems more effectively. You can learn to use Python
>>  and see almost immediate gains in productivity and lower maintenance
>>
>> Modified: trunk/beta.python.org/build/data/newsindex.yml
>> ==============================================================================
>> --- trunk/beta.python.org/build/data/newsindex.yml	(original)
>> +++ trunk/beta.python.org/build/data/newsindex.yml	Wed Jan 16 16:32:04 2013
>> @@ -6,6 +6,10 @@
>>  global:
>>    news:
>>     -
>> +    pubDate: Mon, 7 January 2013, 20:00 +0200
>> +    title: "http://wiki.python.org taken down for recovery"
>> +    description: !rest "The Python wiki has been taken offline for recovery operations. Please see the `PSF blog <http://pyfound.blogspot.com/>`__ for details and updates."
>> +   -
>>      pubDate: Sat, 29 September 2012, 18:00 +0200
>>      title: "Python 3.3.0 released"
>>      description: !rest "`Python 3.3.0 </download/releases/3.3.0/>`__ has been released."
>> _______________________________________________
>> Pydotorg-checkins mailing list
>> Pydotorg-checkins at python.org
>> http://mail.python.org/mailman/listinfo/pydotorg-checkins
> 
> ----- End forwarded message -----
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 16 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From aahz at pythoncraft.com  Wed Jan 16 17:19:55 2013
From: aahz at pythoncraft.com (Aahz)
Date: Wed, 16 Jan 2013 08:19:55 -0800
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <50F6D203.90901@egenix.com>
References: <20130116161257.GA6996@panix.com>
 <50F6D203.90901@egenix.com>
Message-ID: <20130116161955.GB6996@panix.com>

On Wed, Jan 16, 2013, M.-A. Lemburg wrote:
> On 16.01.2013 17:12, Aahz wrote:
>> 
>> I have no objection to a news item, but I think the wiki being down is
>> important enough that it should also stay at the top of the page,
>> webmaster is getting constant pings about it.  Is there some reason you
>> removed it from the top?
> 
> Just to avoid duplication. We can readd it if you like.

Done

> BTW: Isn't there some CSS to a highlight the notice in some way ?

Probably, but I don't know how to do that (nor especially do I know how
to do that in reST).  Anyone who knows the magic is welcome to do that.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From jnoller at gmail.com  Wed Jan 16 17:22:50 2013
From: jnoller at gmail.com (Jesse Noller)
Date: Wed, 16 Jan 2013 11:22:50 -0500
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <50F6D1AC.4030907@wingware.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F6C1B3.1080100@wingware.com>
	<255BE7F4256C4D19B666DE01F3A50B14@gmail.com>
	<50F6D1AC.4030907@wingware.com>
Message-ID: <C725D566D3104BA5993F4E1D6FE79A94@gmail.com>



On Wednesday, January 16, 2013 at 11:13 AM, Stephan Deibel wrote:

> Jesse Noller wrote:
> > Noah can expand on this as Infrastructure lead, but the short version is this - last year we got some beefy donations and hosting form OSU/OSL - this allows us to run our own VM infrastructure and isolate/spin up new servers at will (which is great). We've been slowly migrating the old services to the new systems.
> > ...
> > This also includes "non PSF" assets such as PyPy assets we are now hosting for free. As I said, this is both a combination of communication issues and volunteer load. The board is examining paid backup/leads where needed and/or leveraging OSU's services and administration.
> 
> 
> 
> Great, thanks. I figured you were already on top of looking at what the 
> PSF can do, but it seemed worth bringing up.
> 
> Would it make sense to develop an infrastructure policy with a set of 
> requirements for infrastructure? Then the PSF could pay someone (or 
> appoint someone) to review everything periodically to make sure there 
> are working audited backups, security patches, security scans, and 
> whatever else is required by the policy. I don't know if that's too 
> bureaucratic but I'd support it as a way to use PSF funds.
> 
> - Stephan 
Already working on a policy/job description/whatever you might call it. Just got side swiped with the Flu. 


From goodger at python.org  Wed Jan 16 17:51:55 2013
From: goodger at python.org (David Goodger)
Date: Wed, 16 Jan 2013 11:51:55 -0500
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <20130116161955.GB6996@panix.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
Message-ID: <CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>

On Wed, Jan 16, 2013 at 11:19 AM, Aahz <aahz at pythoncraft.com> wrote:

> On Wed, Jan 16, 2013, M.-A. Lemburg wrote:
>
> BTW: Isn't there some CSS to a highlight the notice in some way ?
>
> Probably, but I don't know how to do that (nor especially do I know how
> to do that in reST).  Anyone who knows the magic is welcome to do that.
>

Done in r14561.

-- 
David Goodger <http://python.net/~goodger>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130116/76a254f2/attachment.html>

From aahz at pythoncraft.com  Wed Jan 16 18:19:37 2013
From: aahz at pythoncraft.com (Aahz)
Date: Wed, 16 Jan 2013 09:19:37 -0800
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
	<CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
Message-ID: <20130116171937.GA8578@panix.com>

On Wed, Jan 16, 2013, David Goodger wrote:
> On Wed, Jan 16, 2013 at 11:19 AM, Aahz <aahz at pythoncraft.com> wrote:
>> On Wed, Jan 16, 2013, M.-A. Lemburg wrote:
>>>
>>> BTW: Isn't there some CSS to a highlight the notice in some way ?
>>
>> Probably, but I don't know how to do that (nor especially do I know how
>> to do that in reST).  Anyone who knows the magic is welcome to do that.
> 
> Done in r14561.

Thanks!
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From techtonik at gmail.com  Wed Jan 16 20:13:44 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Wed, 16 Jan 2013 22:13:44 +0300
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <20130116171937.GA8578@panix.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
	<CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
	<20130116171937.GA8578@panix.com>
Message-ID: <CAPkN8xJM3rCdndRyTkbPCo+9aiaNDsXpgaESoq=7An9EYmkyMw@mail.gmail.com>

The problem with the news item that it completely misses the fact about
security breach.

The purpose to make this visible on python.org instead of only
wiki.python.org is to urge people to change their passwords. Current
message fails to convey this. The announcement text:

-
http://wiki.python.org taken down for recovery

The Python wiki has been taken offline for recovery operations. Please see
the PSF blog <http://pyfound.blogspot.com/>for details and updates.
+
Report on security attack on Python Wiki

On the XX December the MoinMoin instance that served python.org wikies has
been compromised, all wiki data were erased. Edits over last XX months are
lost, and the wiki VM is taken offline for recovery. Everybody is asked to
change your python.org passwords as soon as possible if you use the same
one for other services. For more information see the PSF
blog<http://pyfound.blogspot.com/>
.

-- 
anatoly t.


On Wed, Jan 16, 2013 at 8:19 PM, Aahz <aahz at pythoncraft.com> wrote:

> On Wed, Jan 16, 2013, David Goodger wrote:
> > On Wed, Jan 16, 2013 at 11:19 AM, Aahz <aahz at pythoncraft.com> wrote:
> >> On Wed, Jan 16, 2013, M.-A. Lemburg wrote:
> >>>
> >>> BTW: Isn't there some CSS to a highlight the notice in some way ?
> >>
> >> Probably, but I don't know how to do that (nor especially do I know how
> >> to do that in reST).  Anyone who knows the magic is welcome to do that.
> >
> > Done in r14561.
>
> Thanks!
> --
> Aahz (aahz at pythoncraft.com)           <*>
> http://www.pythoncraft.com/
>
> Weinberg's Second Law: If builders built buildings the way programmers
> wrote
> programs, then the first woodpecker that came along would destroy
> civilization.
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-www
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130116/f5d68d2f/attachment.html>

From goodger at python.org  Wed Jan 16 21:08:03 2013
From: goodger at python.org (David Goodger)
Date: Wed, 16 Jan 2013 15:08:03 -0500
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <CAPkN8xJM3rCdndRyTkbPCo+9aiaNDsXpgaESoq=7An9EYmkyMw@mail.gmail.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
	<CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
	<20130116171937.GA8578@panix.com>
	<CAPkN8xJM3rCdndRyTkbPCo+9aiaNDsXpgaESoq=7An9EYmkyMw@mail.gmail.com>
Message-ID: <CABiJP=Kykmkkz3eyrFw4PZLWAUB=z9FiGKJ8P1jogFg9yw8XEw@mail.gmail.com>

On Wed, Jan 16, 2013 at 2:13 PM, anatoly techtonik <techtonik at gmail.com> wrote:
> The problem with the news item that it completely misses the fact about
> security breach.
>
> The purpose to make this visible on python.org instead of only
> wiki.python.org is to urge people to change their passwords. Current message
> fails to convey this.

Right now, there would be no point.
There is no way for people to change their passwords now, since the
wiki is still down.

Once the wiki is back up and people ARE able to change their
passwords, such an announcement would be appropriate and useful.

How about doing something to help fix things (volunteer!), rather than
just complaining about what's wrong?

-- 
David Goodger <http://python.net/~goodger>

From techtonik at gmail.com  Wed Jan 16 22:12:13 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Thu, 17 Jan 2013 00:12:13 +0300
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <CABiJP=Kykmkkz3eyrFw4PZLWAUB=z9FiGKJ8P1jogFg9yw8XEw@mail.gmail.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
	<CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
	<20130116171937.GA8578@panix.com>
	<CAPkN8xJM3rCdndRyTkbPCo+9aiaNDsXpgaESoq=7An9EYmkyMw@mail.gmail.com>
	<CABiJP=Kykmkkz3eyrFw4PZLWAUB=z9FiGKJ8P1jogFg9yw8XEw@mail.gmail.com>
Message-ID: <CAPkN8xLu6aqA5e-vWvrOZKw_z5rt+9tNoxB=XS1jFp9hTq=d=Q@mail.gmail.com>

On Wed, Jan 16, 2013 at 11:08 PM, David Goodger <goodger at python.org> wrote:

> On Wed, Jan 16, 2013 at 2:13 PM, anatoly techtonik <techtonik at gmail.com>
> wrote:
> > The problem with the news item that it completely misses the fact about
> > security breach.
> >
> > The purpose to make this visible on python.org instead of only
> > wiki.python.org is to urge people to change their passwords. Current
> message
> > fails to convey this.
>
> Right now, there would be no point.
> There is no way for people to change their passwords now, since the
> wiki is still down.
>
> Once the wiki is back up and people ARE able to change their
> passwords, such an announcement would be appropriate and useful.
>

It's not for wiki. I use the same password across all python.org services,
so I suspect that at least 5% of auditory use the same pattern.


> How about doing something to help fix things (volunteer!), rather than
> just complaining about what's wrong?


1. I rewrote a news item so you won't have to crack your head
2. No access to any python sites to edit the news
3. There is not enough visibility into the process or any roadmap, so I
(like other people) can't see what to help with
4. My help is not welcome here

I write this only because nobody else raised this point, and I shouldn't
write this to ML directly anyway.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130117/cce3f31f/attachment-0001.html>

From techtonik at gmail.com  Wed Jan 16 22:20:53 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Thu, 17 Jan 2013 00:20:53 +0300
Subject: [pydotorg-www] FWD: wiki down notice moved
In-Reply-To: <CAPkN8xLu6aqA5e-vWvrOZKw_z5rt+9tNoxB=XS1jFp9hTq=d=Q@mail.gmail.com>
References: <20130116161257.GA6996@panix.com> <50F6D203.90901@egenix.com>
	<20130116161955.GB6996@panix.com>
	<CABiJP=L=1t4QkTH6kaStnA2AMJga5Y7Pd24QU7W0y0w6qbethw@mail.gmail.com>
	<20130116171937.GA8578@panix.com>
	<CAPkN8xJM3rCdndRyTkbPCo+9aiaNDsXpgaESoq=7An9EYmkyMw@mail.gmail.com>
	<CABiJP=Kykmkkz3eyrFw4PZLWAUB=z9FiGKJ8P1jogFg9yw8XEw@mail.gmail.com>
	<CAPkN8xLu6aqA5e-vWvrOZKw_z5rt+9tNoxB=XS1jFp9hTq=d=Q@mail.gmail.com>
Message-ID: <CAPkN8x+L9m1bsvvnnksvjnqoaTszxnA4yj+uW0iS5kXu+M3Zvg@mail.gmail.com>

On Thu, Jan 17, 2013 at 12:12 AM, anatoly techtonik <techtonik at gmail.com>wrote:

> 3. There is not enough visibility into the process or any roadmap, so I
> (like other people) can't see what to help with


To make this more constructive, the information lacking:
1. The date of the last backup of archive.
2. The state of MoinMoin site tree dumper (is it possible to get the tree
structure of the wiki in consistent (sorted) view?)
3. The algorithm of searching for new pages in Google caches and
web.archive.org (is there a way to detect new pages from the caches?)
4. The scraper state (does it compare the wiki html with cache html for
every page to see if the information in cache is newer?)
4.1. How many pages were actually updated since last backup?
5. Does MoinMoin support enforced password change?
6. What is MoinMoin salt, is it using SSHA, is it the same for
bugs.python.org and pypi.python.org, so that we can check if user used old
password and invalidate this password on these sites as well?
-- 
anatoly t.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130117/fbd46867/attachment.html>

From mal at egenix.com  Thu Jan 17 00:47:22 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 17 Jan 2013 00:47:22 +0100
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]  Wiki news?
In-Reply-To: <50F66452.1060601@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com>
Message-ID: <50F73C0A.8000809@egenix.com>

On 16.01.2013 09:26, M.-A. Lemburg wrote:
> Meanwhile I'm also trying to see whether we can still extract some
> data from the broken VM image. It does show traces of the wiki
> file contents, so the data still exists on the image in some
> form. Noah already tried extundelete with no success. I'm going
> to give some of the other tools a try as well, e.g. ext4magic
> or PhotoRec.

Update on the last bit:

The tools were not able to recover the deleted files in the file
structure, but were able to reconstruct a large number of files
from the unallocated parts of the disk.

Given that moin saves all revisions of a wiki page in the file
system, with the file name being the only indication of the
revision, those files may be useful in important cases, but there's
no way to use them as input for automatic processing.

The tools did also recover a number of log files that had been
deleted, which allowed for a better analysis of what was used
for the attack.

Unfortunately, the logs for the important Dec 28
appear to have been overwritten by some other files, so I can't
tell for sure whether the same attack as for the Debian wiki
was used, but it is highly likely:

http://wiki.debian.org/DebianWiki/SecurityIncident2012

The moinexec.py action plugin mentioned there was used on our
wiki VM as well.

In the course of this, the IP address from which the "rm -r *"
originated turned up and we've contacted the ISP for more
information.

Several others played with the URLs as well, but only did
harmless stuff. The attacker must have been in the know
about the fact that wiki.python.org was also running the Jython
wiki, since the availability via python.org and jython.org
were checked after the rm run.

Reimar is working on the conversion of the archive.org page
dump to wiki format. I'll try to transmogrify the first
Yahoo dump I ran into a suitable format for him to use
tomorrow (the later runs returned fewer pages, which indicates
that these caches can really only be used for short periods
of time).

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 17 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  5 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From aahz at pythoncraft.com  Thu Jan 17 01:03:05 2013
From: aahz at pythoncraft.com (Aahz)
Date: Wed, 16 Jan 2013 16:03:05 -0800
Subject: [pydotorg-www] [Infrastructure] FWD: Site rebuild: 2013
In-Reply-To: <CABiJP=+HMXHeY+XGg3pjKMi3sCAEKo4e7De_1orhqcrRWRn=JQ@mail.gmail.com>
References: <20130116163855.GA23470@panix.com>
	<CAPZV6o8xk_PGQGNHT=EVQBdQLtaY4KVjp0uUhtbXWcCajkhRJQ@mail.gmail.com>
	<CABiJP=+9_yhAYqe2qbyJXapp+r5CBka5-RP338j6W77hA_qQUA@mail.gmail.com>
	<CAPZV6o9POj+h8UXytb6_8E1af0RCmaqEomPpgf8PSz=9zuTq7w@mail.gmail.com>
	<50F70D96.2030107@egenix.com> <50F70DDC.4080200@egenix.com>
	<CABiJP=+HMXHeY+XGg3pjKMi3sCAEKo4e7De_1orhqcrRWRn=JQ@mail.gmail.com>
Message-ID: <20130117000304.GA20467@panix.com>

On Wed, Jan 16, 2013, David Goodger wrote:
>
> (tl;dr) site rebuild done, 2013 copyright notice is there.

Yay!
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From mmueller at python-academy.de  Fri Jan 18 10:15:03 2013
From: mmueller at python-academy.de (=?ISO-8859-1?Q?Mike_M=FCller?=)
Date: Fri, 18 Jan 2013 10:15:03 +0100
Subject: [pydotorg-www] Adding User Group Calendar to home page
In-Reply-To: <50F6C945.5000202@egenix.com>
References: <20130116163339.Horde.Zrsba1QvoipQ9shTLKSj0rA@webmail.your-server.de>
	<50F6C945.5000202@egenix.com>
Message-ID: <50F91297.20602@python-academy.de>

Am 16.01.13 16:37, schrieb M.-A. Lemburg:
> On 16.01.2013 16:33, mmueller at python-academy.de wrote:
>> Hi web team,
>>
>> Since the dates of Python events are split between the events calendar and the user group
>> group calendar it makes sense to add both to the python.org home page.
>> While the events calendar appears in left column, the user group calendar does not.
>>
>> It would be nice to have the user group calendar there, just below and in the same style.
>>
>> This is the link for the iframe
>>
>> "https://www.google.com/calendar/embed?src=3haig2m9msslkpf2tn1h56nn9g%40group.calendar.google.com"
> 
> Hi Mike,
> 
> this was done on purpose, since we first wanted to see whether the
> user events clutter up the calendar too much. That doesn't appear to be
> the case, so it may be a good idea to add it as extra calendar box on the
> sidebar.

Good. I would like to add more user group events and invite others to
submit theirs. Right now I cannot find a link from the python.org site
anywhere. I think I need to supply such link to encourage people to add
an event. Of course, the link was on the a wiki page. But having it from
other places too might not be that bad an idea.

Regarding clutter, one of the intentions of having two different calendars
for conference-like events and user group meetings was to prevent clutter.
The way the box is set up, it shows only the most recent events. Therefore,
the worst that can happen that you see only events that are today because
there are so many of them. You need to click on the box anyway to see more
details.

Mike



From mal at egenix.com  Fri Jan 18 10:41:32 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Fri, 18 Jan 2013 10:41:32 +0100
Subject: [pydotorg-www] Adding User Group Calendar to home page
In-Reply-To: <50F91297.20602@python-academy.de>
References: <20130116163339.Horde.Zrsba1QvoipQ9shTLKSj0rA@webmail.your-server.de>
	<50F6C945.5000202@egenix.com> <50F91297.20602@python-academy.de>
Message-ID: <50F918CC.5050101@egenix.com>

On 18.01.2013 10:15, Mike M?ller wrote:
> Am 16.01.13 16:37, schrieb M.-A. Lemburg:
>> On 16.01.2013 16:33, mmueller at python-academy.de wrote:
>>> Hi web team,
>>>
>>> Since the dates of Python events are split between the events calendar and the user group
>>> group calendar it makes sense to add both to the python.org home page.
>>> While the events calendar appears in left column, the user group calendar does not.
>>>
>>> It would be nice to have the user group calendar there, just below and in the same style.
>>>
>>> This is the link for the iframe
>>>
>>> "https://www.google.com/calendar/embed?src=3haig2m9msslkpf2tn1h56nn9g%40group.calendar.google.com"
>>
>> Hi Mike,
>>
>> this was done on purpose, since we first wanted to see whether the
>> user events clutter up the calendar too much. That doesn't appear to be
>> the case, so it may be a good idea to add it as extra calendar box on the
>> sidebar.
> 
> Good. I would like to add more user group events and invite others to
> submit theirs. Right now I cannot find a link from the python.org site
> anywhere. I think I need to supply such link to encourage people to add
> an event. Of course, the link was on the a wiki page. But having it from
> other places too might not be that bad an idea.

Are you looking for this ?

http://pycon.org/#calendar

> Regarding clutter, one of the intentions of having two different calendars
> for conference-like events and user group meetings was to prevent clutter.
> The way the box is set up, it shows only the most recent events. Therefore,
> the worst that can happen that you see only events that are today because
> there are so many of them. You need to click on the box anyway to see more
> details.

True. I can add the new box next week.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 18 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  4 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mal at egenix.com  Fri Jan 18 11:06:29 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Fri, 18 Jan 2013 11:06:29 +0100
Subject: [pydotorg-www] [Infrastructure] [PSF-Members]   Wiki news?
In-Reply-To: <50F73C0A.8000809@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F73C0A.8000809@egenix.com>
Message-ID: <50F91EA5.5060304@egenix.com>

On 17.01.2013 00:47, M.-A. Lemburg wrote:
> Unfortunately, the logs for the important Dec 28
> appear to have been overwritten by some other files, so I can't
> tell for sure whether the same attack as for the Debian wiki
> was used, but it is highly likely:
> 
> http://wiki.debian.org/DebianWiki/SecurityIncident2012
> 
> The moinexec.py action plugin mentioned there was used on our
> wiki VM as well.

Update:

A full disk scan revealed more details on the used plugin:
I could find a partial .pyc file which included the timestamp

Wed Jul 25 16:08:14 2012 GMT

If you compare that to the findings of the Debian admins,
this suggests that either the plugin was copied over to
the server as PYC file (in which case, the timestamp doesn't
mean much), or the PYC file was compiled by the Python on
the wiki server after a .py file was installed. The latter
is more likely given the analysis of the Debian system breach.

In other words, the backdoor will likely have been open for
several months.

Reimar has nearly finished the work on the wiki markup conversion
of the HTML files I had extracted from archive.org and yahoo.com.

We'll install these on top of the June/Juli 2012 backup of
the wiki in the next few days.

I also have a number of recovered wiki markup text files from
the VM, but without any date or filename information. These can
be used for manual recovery of single important pages that
were not available in the archive dumps.

Note that I cannot simply upload those pages somewhere, because
the VM hosted the public wikis as well as the private PSF ones
and the files are a mix of all these wikis.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 18 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  4 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From neil at python.ca  Fri Jan 18 19:59:04 2013
From: neil at python.ca (Neil Schemenauer)
Date: Fri, 18 Jan 2013 12:59:04 -0600
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]    Wiki news?
In-Reply-To: <50F91EA5.5060304@egenix.com>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F73C0A.8000809@egenix.com>
	<50F91EA5.5060304@egenix.com>
Message-ID: <20130118185904.GA8646@python.ca>

[PSF list removed]

On 2013-01-18, M.-A. Lemburg wrote:
> In other words, the backdoor will likely have been open for
> several months.

My thanks to all the work put in by volunteers.  Has there been any
consideration given to using different wiki software?  It's my
impression that MoinMoin has a quite poor record with regard to
security:

    http://moinmo.in/SecurityFixes

The abundance of past holes doesn't predict future ones but in
general there seems to be a correlation.  Whatever software we use,
keeping the wiki separated (e.g. in its own VM) is definitely a good
idea.  Anytime you allow remote users to create content the risks
are high.

Regards,

  Neil

From mal at egenix.com  Fri Jan 18 20:31:24 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Fri, 18 Jan 2013 20:31:24 +0100
Subject: [pydotorg-www] [PSF-Members] [Infrastructure]    Wiki news?
In-Reply-To: <20130118185904.GA8646@python.ca>
References: <CADrh4z+CPiUz8Oi_irYqiRvnbdPwsUPkXg+A0aWcEQjJRRUX1A@mail.gmail.com>
	<A682472F-6BB1-4C97-B86C-3298DD5C8E88@voidspace.org.uk>
	<DBAA7E04-095B-4856-B670-14D6EB00EBA7@gmail.com>
	<CADrh4zJQL8-3re3A1pjvk8f19Eu_XTGeYxe_ydSq+=2Jt+UwsQ@mail.gmail.com>
	<CAGE7PNLWtVjungnxbyFiYrNri1fKrX9fTtaROF46EknS8haeNA@mail.gmail.com>
	<50F66452.1060601@egenix.com> <50F73C0A.8000809@egenix.com>
	<50F91EA5.5060304@egenix.com> <20130118185904.GA8646@python.ca>
Message-ID: <50F9A30C.5050804@egenix.com>

On 18.01.2013 19:59, Neil Schemenauer wrote:
> [PSF list removed]
> 
> On 2013-01-18, M.-A. Lemburg wrote:
>> In other words, the backdoor will likely have been open for
>> several months.
> 
> My thanks to all the work put in by volunteers.  Has there been any
> consideration given to using different wiki software?  It's my
> impression that MoinMoin has a quite poor record with regard to
> security:
> 
>     http://moinmo.in/SecurityFixes
> 
> The abundance of past holes doesn't predict future ones but in
> general there seems to be a correlation. 

I think that's a misinterpretation. MoinMoin is used in a *lot*
of places and so finding vulnerabilities becomes more attractive
than for other similar software.

I agree, though, that a security audit would probably not
hurt :-) Perhaps they should have one of their GSoC students
run such an audit this summer.

> Whatever software we use,
> keeping the wiki separated (e.g. in its own VM) is definitely a good
> idea.  Anytime you allow remote users to create content the risks
> are high.

True.

Let's not overreact :-) Without the incident we would still be under
the assumption that we have backups for everything...

It also shows that we have to make a few enhancement to the way
we do logging; but that's going to be a new thread.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 18 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2013-01-22: Python Meeting Duesseldorf ...                  4 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From paul at boddie.org.uk  Fri Jan 18 22:51:10 2013
From: paul at boddie.org.uk (Paul Boddie)
Date: Fri, 18 Jan 2013 22:51:10 +0100
Subject: [pydotorg-www] [PSF-Members] [Infrastructure] Wiki news?
Message-ID: <201301182251.10563.paul@boddie.org.uk>

M.-A. Lemburg wrote:
> On 18.01.2013 19:59, Neil Schemenauer wrote:
> > [PSF list removed]
> >
> > On 2013-01-18, M.-A. Lemburg wrote:
> >> In other words, the backdoor will likely have been open for
> >> several months.
> >
> > My thanks to all the work put in by volunteers.  Has there been any
> > consideration given to using different wiki software?  It's my
> > impression that MoinMoin has a quite poor record with regard to
> > security:
> >
> >     http://moinmo.in/SecurityFixes
> >
> > The abundance of past holes doesn't predict future ones but in
> > general there seems to be a correlation.
>
> I think that's a misinterpretation. MoinMoin is used in a *lot*
> of places and so finding vulnerabilities becomes more attractive
> than for other similar software.

Agreed. Just because the MoinMoin project has openly published advisories (and 
fixed vulnerabilities) doesn't mean that it has a "poor record", or at least 
a record that is poorer than other software. I happen to be subscribed to 
notifications for MediaWiki, for example, and advisories are regularly 
published exhorting users to upgrade in order to fix various issues.

We could spend substantial effort migrating to something else without any 
guarantee of improved security and with substantial inconvenience incurred. 
As I noted on a rather tiresome thread on the PSF list, throwing everything 
out in order to do things some other, supposedly "better" way is an 
unfortunate Python community tendency that we shouldn't indulge. I also think 
that using people's software and then abandoning it (and them) when we find 
something we don't like about it, instead of offering to improve it, is 
counterproductive if not a betrayal of those people.

> I agree, though, that a security audit would probably not
> hurt :-) Perhaps they should have one of their GSoC students
> run such an audit this summer.
>
> > Whatever software we use,
> > keeping the wiki separated (e.g. in its own VM) is definitely a good
> > idea.  Anytime you allow remote users to create content the risks
> > are high.
>
> True.

I don't want to speculate on what should be done or should have been done 
because I think the MoinMoin developers do a lot of thankless work supporting 
their software so that others may freely benefit from it, but there are 
certainly measures that might be taken to reduce the risk of running this and 
other Web applications.

> Let's not overreact :-) Without the incident we would still be under
> the assumption that we have backups for everything...
>
> It also shows that we have to make a few enhancement to the way
> we do logging; but that's going to be a new thread.

I think the way forward is to be constructive and to consider how the Wiki can 
enhance what the complete python.org site offers and how we can be sure that 
it operates in a way that can be considered acceptable. If that involves 
spending time and effort on improving the software, then we should encourage 
that to happen through whatever reasonable means we have at our disposal.

Paul

From brian at python.org  Fri Jan 18 22:50:10 2013
From: brian at python.org (Brian Curtin)
Date: Fri, 18 Jan 2013 15:50:10 -0600
Subject: [pydotorg-www] [PSF-Members] [Infrastructure] Wiki news?
In-Reply-To: <201301182251.10563.paul@boddie.org.uk>
References: <201301182251.10563.paul@boddie.org.uk>
Message-ID: <CAD+XWwo9o80SGd6RpLLbZMo9=rexpuMOR+oG+qffFSMKhq+HUQ@mail.gmail.com>

On Fri, Jan 18, 2013 at 3:51 PM, Paul Boddie <paul at boddie.org.uk> wrote:
> M.-A. Lemburg wrote:
>> On 18.01.2013 19:59, Neil Schemenauer wrote:
>> > [PSF list removed]
>> >
>> > On 2013-01-18, M.-A. Lemburg wrote:
>> >> In other words, the backdoor will likely have been open for
>> >> several months.
>> >
>> > My thanks to all the work put in by volunteers.  Has there been any
>> > consideration given to using different wiki software?  It's my
>> > impression that MoinMoin has a quite poor record with regard to
>> > security:
>> >
>> >     http://moinmo.in/SecurityFixes
>> >
>> > The abundance of past holes doesn't predict future ones but in
>> > general there seems to be a correlation.
>>
>> I think that's a misinterpretation. MoinMoin is used in a *lot*
>> of places and so finding vulnerabilities becomes more attractive
>> than for other similar software.
>
> Agreed. Just because the MoinMoin project has openly published advisories (and
> fixed vulnerabilities) doesn't mean that it has a "poor record", or at least
> a record that is poorer than other software. I happen to be subscribed to
> notifications for MediaWiki, for example, and advisories are regularly
> published exhorting users to upgrade in order to fix various issues.
>
> We could spend substantial effort migrating to something else without any
> guarantee of improved security and with substantial inconvenience incurred.
> As I noted on a rather tiresome thread on the PSF list, throwing everything
> out in order to do things some other, supposedly "better" way is an
> unfortunate Python community tendency that we shouldn't indulge. I also think
> that using people's software and then abandoning it (and them) when we find
> something we don't like about it, instead of offering to improve it, is
> counterproductive if not a betrayal of those people.

Speaking of improving it: on Wednesday, the PSF approved a grant to
expedite development efforts that the MoinMoin team is putting in to
using passlib for their password handling.

From paul at boddie.org.uk  Sat Jan 19 02:00:31 2013
From: paul at boddie.org.uk (Paul Boddie)
Date: Sat, 19 Jan 2013 02:00:31 +0100
Subject: [pydotorg-www] [PSF-Members] [Infrastructure] Wiki news?
In-Reply-To: <CAD+XWwo9o80SGd6RpLLbZMo9=rexpuMOR+oG+qffFSMKhq+HUQ@mail.gmail.com>
References: <201301182251.10563.paul@boddie.org.uk>
	<CAD+XWwo9o80SGd6RpLLbZMo9=rexpuMOR+oG+qffFSMKhq+HUQ@mail.gmail.com>
Message-ID: <201301190200.31239.paul@boddie.org.uk>

On Friday 18 January 2013 22:50:10 Brian Curtin wrote:
>
> Speaking of improving it: on Wednesday, the PSF approved a grant to
> expedite development efforts that the MoinMoin team is putting in to
> using passlib for their password handling.

This is a most welcome development.

Although there may be people who argue that usage of this library is overdue, 
any effort or initiative that can encourage more sharing and collaboration 
amongst Python Web projects and revive channels like the Web SIG, so that 
best practices can be propagated and projects may look after each other 
instead of justifying factionalism through the idea that there must be 
winners and losers, is an initiative worth supporting.

Thanks for keeping us informed!

Paul

P.S. Personally, I'd either not heard of passlib or had forgotten about its 
existence, but then again I'm not doing password handling myself on a 
day-to-day basis.

From mborch at gmail.com  Thu Jan 24 14:58:55 2013
From: mborch at gmail.com (Malthe Borch)
Date: Thu, 24 Jan 2013 14:58:55 +0100
Subject: [pydotorg-www] Updating feed on Planet Python
Message-ID: <CAAPh5Fn9T=kZ1x6he2qnATXQ8aeF-PLVg7CPxwgQu5pgYEeN7w@mail.gmail.com>

Hello,

Might someone update my feed to:

    http://www.maltheborch.com/rss

Thanks,

\malthe

From mal at egenix.com  Thu Jan 24 15:13:41 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 24 Jan 2013 15:13:41 +0100
Subject: [pydotorg-www] Changing default wiki permissions
Message-ID: <51014195.2090000@egenix.com>

We're currently working on setting up the new VM with the
Python and Jython wikis.

In order to increase security and also to help a bit with
avoiding spam/vandalism, we'd like to disable editing
of wiki pages without login.

Any objections ?

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 24 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From jeremy at tuxmachine.com  Thu Jan 24 15:21:41 2013
From: jeremy at tuxmachine.com (Jeremy Baron)
Date: Thu, 24 Jan 2013 14:21:41 +0000
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51014195.2090000@egenix.com>
References: <51014195.2090000@egenix.com>
Message-ID: <CAE-2OCY33fNW6=jJuyYYv=f+WJPcWmwb=MzrF+FhSpU=BUBt7Q@mail.gmail.com>

On Jan 24, 2013 9:14 AM, "M.-A. Lemburg" <mal at egenix.com> wrote:
> We're currently working on setting up the new VM with the
> Python and Jython wikis.
[?]

Is this being automated or documented in any way? e.g. with puppet.

So that next time you need to make a new one from scratch it is then a
trivial task.

-Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130124/00dd5176/attachment.html>

From rosuav at gmail.com  Thu Jan 24 15:27:20 2013
From: rosuav at gmail.com (Chris Angelico)
Date: Fri, 25 Jan 2013 01:27:20 +1100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51014195.2090000@egenix.com>
References: <51014195.2090000@egenix.com>
Message-ID: <CAPTjJmr6f+sF9Z9OD8znu-C_SgSx-u_ZgT85FbxELwqjLV-1sg@mail.gmail.com>

On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> In order to increase security and also to help a bit with
> avoiding spam/vandalism, we'd like to disable editing
> of wiki pages without login.
>
> Any objections ?

Strongly support, as long as it's easy enough to create a login. +0 if
logins take a lot of time (or admin approval) before being permitted.

ChrisA

From sheep at sheep.art.pl  Thu Jan 24 16:28:01 2013
From: sheep at sheep.art.pl (Radomir Dopieralski)
Date: Thu, 24 Jan 2013 16:28:01 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51014195.2090000@egenix.com>
References: <51014195.2090000@egenix.com>
Message-ID: <CAJ2VPS1dtpygGfE=rxicaQveSWpXy2w=AEaBVua8AursMedBbQ@mail.gmail.com>

On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> We're currently working on setting up the new VM with the
> Python and Jython wikis.
>
> In order to increase security and also to help a bit with
> avoiding spam/vandalism, we'd like to disable editing
> of wiki pages without login.
>
> Any objections ?

I don't really have any objections, but it may interest you that the
last few spammer attacks on the wiki all registered random accounts
automatically and logged in before posting their spam.

-- 
Radomir Dopieralski, http://sheep.art.pl

From barry at python.org  Thu Jan 24 16:48:00 2013
From: barry at python.org (Barry Warsaw)
Date: Thu, 24 Jan 2013 10:48:00 -0500
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <CAJ2VPS1dtpygGfE=rxicaQveSWpXy2w=AEaBVua8AursMedBbQ@mail.gmail.com>
References: <51014195.2090000@egenix.com>
	<CAJ2VPS1dtpygGfE=rxicaQveSWpXy2w=AEaBVua8AursMedBbQ@mail.gmail.com>
Message-ID: <20130124104800.2f516de9@anarchist.wooz.org>

On Jan 24, 2013, at 04:28 PM, Radomir Dopieralski wrote:

>On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> We're currently working on setting up the new VM with the
>> Python and Jython wikis.
>>
>> In order to increase security and also to help a bit with
>> avoiding spam/vandalism, we'd like to disable editing
>> of wiki pages without login.
>>
>> Any objections ?
>
>I don't really have any objections, but it may interest you that the
>last few spammer attacks on the wiki all registered random accounts
>automatically and logged in before posting their spam.

+1 for the change, although based on my experience with the (Confluence-based)
Mailman wiki, it won't help much.  We've resorted to adding a special
"authors" group and only allowing folks in that group to edit pages.  You have
to explicitly ask the Mailman cabal for permission to join the group.  Now the
only spam we get (and it is *way* less than it ever was) is in the actual
wiki-joining account information.

Cheers,
-Barry

From mal at egenix.com  Thu Jan 24 17:05:59 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 24 Jan 2013 17:05:59 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <CAPTjJmr6f+sF9Z9OD8znu-C_SgSx-u_ZgT85FbxELwqjLV-1sg@mail.gmail.com>
References: <51014195.2090000@egenix.com>
	<CAPTjJmr6f+sF9Z9OD8znu-C_SgSx-u_ZgT85FbxELwqjLV-1sg@mail.gmail.com>
Message-ID: <51015BE7.9090606@egenix.com>

On 24.01.2013 15:27, Chris Angelico wrote:
> On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> In order to increase security and also to help a bit with
>> avoiding spam/vandalism, we'd like to disable editing
>> of wiki pages without login.
>>
>> Any objections ?
> 
> Strongly support, as long as it's easy enough to create a login. +0 if
> logins take a lot of time (or admin approval) before being permitted.

It doesn't need admin approval. You just need to sign up. It's a
small extra burden. As side effect, the history of page edits
also becomes more readable.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 24 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From rosuav at gmail.com  Thu Jan 24 17:09:48 2013
From: rosuav at gmail.com (Chris Angelico)
Date: Fri, 25 Jan 2013 03:09:48 +1100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51015BE7.9090606@egenix.com>
References: <51014195.2090000@egenix.com>
	<CAPTjJmr6f+sF9Z9OD8znu-C_SgSx-u_ZgT85FbxELwqjLV-1sg@mail.gmail.com>
	<51015BE7.9090606@egenix.com>
Message-ID: <CAPTjJmrb_wYSH+7TWPeodL-B1tQbaFeyti-fBGdR8y5d1txBxw@mail.gmail.com>

On Fri, Jan 25, 2013 at 3:05 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 24.01.2013 15:27, Chris Angelico wrote:
>> On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> In order to increase security and also to help a bit with
>>> avoiding spam/vandalism, we'd like to disable editing
>>> of wiki pages without login.
>>>
>>> Any objections ?
>>
>> Strongly support, as long as it's easy enough to create a login. +0 if
>> logins take a lot of time (or admin approval) before being permitted.
>
> It doesn't need admin approval. You just need to sign up. It's a
> small extra burden. As side effect, the history of page edits
> also becomes more readable.

Then yeah, there's no need to allow anonymous editing. Wikipedia does,
but plenty don't. It just bugs me now and then when I come across a
wiki with a trivial typo or something, and I sign up, and it tells me
a mod has to grant me editing rights; why advertise that it's editable
if it basically isn't? By the time someone gets around to granting
permission, I've probably moved along, the edit wasn't worth the
hassle.

Course, it won't stop spam, as others mentioned.

ChrisA

From mal at egenix.com  Thu Jan 24 17:13:56 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 24 Jan 2013 17:13:56 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <CAJ2VPS1dtpygGfE=rxicaQveSWpXy2w=AEaBVua8AursMedBbQ@mail.gmail.com>
References: <51014195.2090000@egenix.com>
	<CAJ2VPS1dtpygGfE=rxicaQveSWpXy2w=AEaBVua8AursMedBbQ@mail.gmail.com>
Message-ID: <51015DC4.4000008@egenix.com>

On 24.01.2013 16:28, Radomir Dopieralski wrote:
> On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> We're currently working on setting up the new VM with the
>> Python and Jython wikis.
>>
>> In order to increase security and also to help a bit with
>> avoiding spam/vandalism, we'd like to disable editing
>> of wiki pages without login.
>>
>> Any objections ?
> 
> I don't really have any objections, but it may interest you that the
> last few spammer attacks on the wiki all registered random accounts
> automatically and logged in before posting their spam.

I know it's not the ultimate tool against spammers :-)

We were thinking more about things like the attacks by script
kiddies we've seen after the Debian announcement. I would think
that having to log in before being able to run the action
would have made people think twice.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 24 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mal at egenix.com  Thu Jan 24 17:17:02 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 24 Jan 2013 17:17:02 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <CAE-2OCY33fNW6=jJuyYYv=f+WJPcWmwb=MzrF+FhSpU=BUBt7Q@mail.gmail.com>
References: <51014195.2090000@egenix.com>
	<CAE-2OCY33fNW6=jJuyYYv=f+WJPcWmwb=MzrF+FhSpU=BUBt7Q@mail.gmail.com>
Message-ID: <51015E7E.3000102@egenix.com>

On 24.01.2013 15:21, Jeremy Baron wrote:
> On Jan 24, 2013 9:14 AM, "M.-A. Lemburg" <mal at egenix.com> wrote:
>> We're currently working on setting up the new VM with the
>> Python and Jython wikis.
> [?]
> 
> Is this being automated or documented in any way? e.g. with puppet.

Both :-) The infrastructure team is using Chef for the management,
but there are still some manual steps involved in a moin wiki setup
that are not easy to automate (part of the setup requires visiting
pages, clicking on links, etc).

> So that next time you need to make a new one from scratch it is then a
> trivial task.

The setup isn't all that hard. The hard part was trying to recover at
least some of the content and getting it back into the wiki.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 24 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From aahz at pythoncraft.com  Thu Jan 24 18:23:17 2013
From: aahz at pythoncraft.com (Aahz)
Date: Thu, 24 Jan 2013 09:23:17 -0800
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51014195.2090000@egenix.com>
References: <51014195.2090000@egenix.com>
Message-ID: <20130124172317.GA10446@panix.com>

On Thu, Jan 24, 2013, M.-A. Lemburg wrote:
>
> We're currently working on setting up the new VM with the Python and
> Jython wikis.
>
> In order to increase security and also to help a bit with avoiding
> spam/vandalism, we'd like to disable editing of wiki pages without
> login.
>
> Any objections ?

That was in fact the setup previously, and I strongly support reverting
to it.  As Barry notes, there are some pages that will need a higher
level of protection, but as long as we've got off-VM backups, we can
handle any mishaps.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

Weinberg's Second Law: If builders built buildings the way programmers wrote 
programs, then the first woodpecker that came along would destroy civilization.

From paul at boddie.org.uk  Thu Jan 24 23:24:30 2013
From: paul at boddie.org.uk (Paul Boddie)
Date: Thu, 24 Jan 2013 23:24:30 +0100
Subject: [pydotorg-www] Changing default wiki permissions
Message-ID: <201301242324.30997.paul@boddie.org.uk>

Aahz wrote:
> On Thu, Jan 24, 2013, M.-A. Lemburg wrote:
> > We're currently working on setting up the new VM with the Python and
> > Jython wikis.
> >
> > In order to increase security and also to help a bit with avoiding
> > spam/vandalism, we'd like to disable editing of wiki pages without
> > login.
> >
> > Any objections ?
>
> That was in fact the setup previously, and I strongly support reverting
> to it.  As Barry notes, there are some pages that will need a higher
> level of protection, but as long as we've got off-VM backups, we can
> handle any mishaps.

Indeed. I don't buy into the myth that people perpetuate about Wikis having to 
allow anonymous access or otherwise be instruments of The Man, or whatever. 
The Internet is full of people who will happily pollute any editable site 
with their idiotic spams and scams, and some fairly basic measures will deter 
the bulk of these people.

I recommend...

Requiring some kind of login. This actually makes it easier for the editors to 
see at a glance who has edited a page (Aahz rather than, say, 
123-client.456-server.verizon.com) and make a quick judgement about whether 
the edit needs investigating. We can support OpenID - you can even use your 
Python Package Index identity! - and so don't even need to make people set 
and remember distinct passwords.

Maintaining the textcha protection for random newcomers. I appreciate that 
textcha questions can be a pain - on one Wiki I use, the questions required a 
fair amount of research on my part because I am a mere developer and not part 
of the target audience - but we can migrate people quickly to a group/list 
that doesn't get bothered with questions. Textcha can be very effective: on 
some sites I've seen where they turned the feature on, spam was more or less 
eliminated.

Having some kind of mechanism for managing new user registration. I wouldn't 
want to impose the approval of new users because it stops the quick-but-good 
edits of people who are new to the Wiki but want to fix something, but it is 
the case that there may be a lot of "registration spam", meaning that the 
Wiki fills up with users who will never succeed in making an edit because 
they can't answer the textcha questions. Maybe there are already tools that 
deal with this. If not, I may be encouraged to write something.

Beyond this, we could introduce edit approval for random newcomers - I wrote 
something that puts edits in approval queues - but this is really something 
for a site where you want the barrier to editing to be very low but the 
barrier to publishing to be much higher. For the Python Wikis, the barrier to 
editing should be low but not *very* low, and the barrier to publishing 
should not be significantly higher.

Finally, I would like to thank Marc-Andr? for his forensic and recovery work 
as well as Thomas and Reimar for their work in attempting to restore the 
content. Once again, the PSF should be thanked for making resources available 
for the improvement of MoinMoin in various respects. Ensuring the vitality of 
widely-used Python projects like MoinMoin is an essential part of ensuring 
the vitality of Python itself.

Paul

From techtonik at gmail.com  Fri Jan 25 10:36:05 2013
From: techtonik at gmail.com (anatoly techtonik)
Date: Fri, 25 Jan 2013 11:36:05 +0200
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <51014195.2090000@egenix.com>
References: <51014195.2090000@egenix.com>
Message-ID: <CAPkN8xLWko973=FMH57Hp513R=ALSTopH98ySgz6wJrjMPP08A@mail.gmail.com>

On Thu, Jan 24, 2013 at 5:13 PM, M.-A. Lemburg <mal at egenix.com> wrote:

> We're currently working on setting up the new VM with the
> Python and Jython wikis.
>
> In order to increase security and also to help a bit with
> avoiding spam/vandalism, we'd like to disable editing
> of wiki pages without login.
>
> Any objections ?
>

What was the monthly amount of posts from anonymous spammers?
What was the ratio of spam posts of anonymous vs registered spammers?

If the both parameters are low, I'd be -1. In other 'words':

if monthly.spam.unreg < 5 and monthly.spam.unreg/float(monthly.spam.reg) <
1:
   registration.disable()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130125/e5d896ed/attachment-0001.html>

From mal at egenix.com  Fri Jan 25 12:00:46 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Fri, 25 Jan 2013 12:00:46 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <CAPkN8xLWko973=FMH57Hp513R=ALSTopH98ySgz6wJrjMPP08A@mail.gmail.com>
References: <51014195.2090000@egenix.com>
	<CAPkN8xLWko973=FMH57Hp513R=ALSTopH98ySgz6wJrjMPP08A@mail.gmail.com>
Message-ID: <510265DE.5020201@egenix.com>

On 25.01.2013 10:36, anatoly techtonik wrote:
> On Thu, Jan 24, 2013 at 5:13 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> 
>> We're currently working on setting up the new VM with the
>> Python and Jython wikis.
>>
>> In order to increase security and also to help a bit with
>> avoiding spam/vandalism, we'd like to disable editing
>> of wiki pages without login.
>>
>> Any objections ?
>>
> 
> What was the monthly amount of posts from anonymous spammers?
> What was the ratio of spam posts of anonymous vs registered spammers?
> 
> If the both parameters are low, I'd be -1. In other 'words':
> 
> if monthly.spam.unreg < 5 and monthly.spam.unreg/float(monthly.spam.reg) <
> 1:
>    registration.disable()

If you could define a function to determine whether an edit was
spam or not, such statistics would be possible - and a lot more ;-).

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 25 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From mal at egenix.com  Fri Jan 25 12:19:23 2013
From: mal at egenix.com (M.-A. Lemburg)
Date: Fri, 25 Jan 2013 12:19:23 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <201301242324.30997.paul@boddie.org.uk>
References: <201301242324.30997.paul@boddie.org.uk>
Message-ID: <51026A3B.7000708@egenix.com>

On 24.01.2013 23:24, Paul Boddie wrote:
> Aahz wrote:
>> On Thu, Jan 24, 2013, M.-A. Lemburg wrote:
>>> We're currently working on setting up the new VM with the Python and
>>> Jython wikis.
>>>
>>> In order to increase security and also to help a bit with avoiding
>>> spam/vandalism, we'd like to disable editing of wiki pages without
>>> login.
>>>
>>> Any objections ?
>>
>> That was in fact the setup previously, and I strongly support reverting
>> to it.  As Barry notes, there are some pages that will need a higher
>> level of protection, but as long as we've got off-VM backups, we can
>> handle any mishaps.
> 
> Indeed. I don't buy into the myth that people perpetuate about Wikis having to 
> allow anonymous access or otherwise be instruments of The Man, or whatever. 
> The Internet is full of people who will happily pollute any editable site 
> with their idiotic spams and scams, and some fairly basic measures will deter 
> the bulk of these people.

Given the positive echo, we'll go ahead with requiring logins for
edits per default.

> I recommend...
> 
> Requiring some kind of login. This actually makes it easier for the editors to 
> see at a glance who has edited a page (Aahz rather than, say, 
> 123-client.456-server.verizon.com) and make a quick judgement about whether 
> the edit needs investigating. We can support OpenID - you can even use your 
> Python Package Index identity! - and so don't even need to make people set 
> and remember distinct passwords.
> 
> Maintaining the textcha protection for random newcomers. I appreciate that 
> textcha questions can be a pain - on one Wiki I use, the questions required a 
> fair amount of research on my part because I am a mere developer and not part 
> of the target audience - but we can migrate people quickly to a group/list 
> that doesn't get bothered with questions. Textcha can be very effective: on 
> some sites I've seen where they turned the feature on, spam was more or less 
> eliminated.

We are using text based capchas for the Python and Jython wiki -
for both unregistered and registered users. There's a group
of trusted editors which doesn't have to bother with the captchas.

Additionally, we have a blocked user group to disable known spam
accounts.

> Having some kind of mechanism for managing new user registration. I wouldn't 
> want to impose the approval of new users because it stops the quick-but-good 
> edits of people who are new to the Wiki but want to fix something, but it is 
> the case that there may be a lot of "registration spam", meaning that the 
> Wiki fills up with users who will never succeed in making an edit because 
> they can't answer the textcha questions. Maybe there are already tools that 
> deal with this. If not, I may be encouraged to write something.

We currently have 11000 users registered for the Python wiki. I do
believe that many of those are no longer in use. Since we're resetting
the password of the users now, we should get a good feel for the
actual number of active users after a few months: the inactive ones
will show up as not having registered a new password.

> Beyond this, we could introduce edit approval for random newcomers - I wrote 
> something that puts edits in approval queues - but this is really something 
> for a site where you want the barrier to editing to be very low but the 
> barrier to publishing to be much higher. For the Python Wikis, the barrier to 
> editing should be low but not *very* low, and the barrier to publishing 
> should not be significantly higher.

If spam from registered users becomes more of a problem, we could
increase the number of captcha phrases.

> Finally, I would like to thank Marc-Andr? for his forensic and recovery work 
> as well as Thomas and Reimar for their work in attempting to restore the 
> content. Once again, the PSF should be thanked for making resources available 
> for the improvement of MoinMoin in various respects. Ensuring the vitality of 
> widely-used Python projects like MoinMoin is an essential part of ensuring 
> the vitality of Python itself.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 25 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

From sheep at sheep.art.pl  Fri Jan 25 12:45:49 2013
From: sheep at sheep.art.pl (Radomir Dopieralski)
Date: Fri, 25 Jan 2013 12:45:49 +0100
Subject: [pydotorg-www] Changing default wiki permissions
In-Reply-To: <201301242324.30997.paul@boddie.org.uk>
References: <201301242324.30997.paul@boddie.org.uk>
Message-ID: <CAJ2VPS0WhQxQwV73-+2nPQH7umh7Sp8tT28t+Pv42VixdskDYA@mail.gmail.com>

On Thu, Jan 24, 2013 at 11:24 PM, Paul Boddie <paul at boddie.org.uk> wrote:
> Aahz wrote:
>> On Thu, Jan 24, 2013, M.-A. Lemburg wrote:
> Having some kind of mechanism for managing new user registration. I wouldn't
> want to impose the approval of new users because it stops the quick-but-good
> edits of people who are new to the Wiki but want to fix something, but it is
> the case that there may be a lot of "registration spam", meaning that the
> Wiki fills up with users who will never succeed in making an edit because
> they can't answer the textcha questions. Maybe there are already tools that
> deal with this. If not, I may be encouraged to write something.

I think that MoinMoin lets you put a textcha on the registration page too.
That pretty much solves this problem.
-- 
Radomir Dopieralski, http://sheep.art.pl

From brian at python.org  Tue Jan 29 15:57:16 2013
From: brian at python.org (Brian Curtin)
Date: Tue, 29 Jan 2013 08:57:16 -0600
Subject: [pydotorg-www] Fwd: URGENT: Removal of Information for FUNERALCALL
In-Reply-To: <CAPg410BNj7vZu=0i7xQ8yDB=O+XfOMjY6K+vY5EHD69YydW9Jg@mail.gmail.com>
References: <CAPg410BNj7vZu=0i7xQ8yDB=O+XfOMjY6K+vY5EHD69YydW9Jg@mail.gmail.com>
Message-ID: <CAD+XWwqJtSi4E-RNKLAc-gvUR+nmHuG=2e9M+4qOLe=0K21tdw@mail.gmail.com>

Can anyone who deals with the job board take a look at this? Amberly
from Funeral Call needs a post removed...


---------- Forwarded message ----------
From: Amberly Odom <amberly at funeralcall.com>
Date: Tue, Jan 29, 2013 at 8:54 AM
Subject: URGENT: Removal of Information for FUNERALCALL
To: jnoller at python.org, spambayes-dev at python.org, brian at python.org,
guido at python.org


Hello,

I just came across a job opening that you have posted for our company.
We have not given anyone information to post a job and need this to be
removed immediately.This posting must be removed within 48 hours.
http://www.python.org/community/jobs/

--
Amberly Odom
Director of Marketing
Funeral Call

p.770-830-6000
e. amberly at funeralcall.com

From chris at python.org  Tue Jan 29 16:08:09 2013
From: chris at python.org (Chris Withers)
Date: Tue, 29 Jan 2013 15:08:09 +0000
Subject: [pydotorg-www] Fwd: URGENT: Removal of Information for
	FUNERALCALL
In-Reply-To: <CAD+XWwqJtSi4E-RNKLAc-gvUR+nmHuG=2e9M+4qOLe=0K21tdw@mail.gmail.com>
References: <CAPg410BNj7vZu=0i7xQ8yDB=O+XfOMjY6K+vY5EHD69YydW9Jg@mail.gmail.com>
	<CAD+XWwqJtSi4E-RNKLAc-gvUR+nmHuG=2e9M+4qOLe=0K21tdw@mail.gmail.com>
Message-ID: <5107E5D9.3080309@python.org>

So, sent to anyone *except* the right address :-(

Seems unlikely that someone would just randomly post a job ad on their 
behalf, and I do hate arbitrary threats...

Nonetheless, I'll take it down as part of this evening's batch and copy 
in both the posting party and Amberly.

cheers,

Chris

On 29/01/2013 14:57, Brian Curtin wrote:
> Can anyone who deals with the job board take a look at this? Amberly
> from Funeral Call needs a post removed...
>
>
> ---------- Forwarded message ----------
> From: Amberly Odom<amberly at funeralcall.com>
> Date: Tue, Jan 29, 2013 at 8:54 AM
> Subject: URGENT: Removal of Information for FUNERALCALL
> To: jnoller at python.org, spambayes-dev at python.org, brian at python.org,
> guido at python.org
>
>
> Hello,
>
> I just came across a job opening that you have posted for our company.
> We have not given anyone information to post a job and need this to be
> removed immediately.This posting must be removed within 48 hours.
> http://www.python.org/community/jobs/
>
> --
> Amberly Odom
> Director of Marketing
> Funeral Call
>
> p.770-830-6000
> e. amberly at funeralcall.com
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> http://mail.python.org/mailman/listinfo/pydotorg-www
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
             - http://www.simplistix.co.uk