[pydotorg-www] [PSF-Members] [Infrastructure] Wiki news?

Paul Boddie paul at boddie.org.uk
Fri Jan 18 22:51:10 CET 2013 

M.-A. Lemburg wrote:
> On 18.01.2013 19:59, Neil Schemenauer wrote:
> > [PSF list removed]
> >
> > On 2013-01-18, M.-A. Lemburg wrote:
> >> In other words, the backdoor will likely have been open for
> >> several months.
> >
> > My thanks to all the work put in by volunteers.  Has there been any
> > consideration given to using different wiki software?  It's my
> > impression that MoinMoin has a quite poor record with regard to
> > security:
> >
> >     http://moinmo.in/SecurityFixes
> >
> > The abundance of past holes doesn't predict future ones but in
> > general there seems to be a correlation.
>
> I think that's a misinterpretation. MoinMoin is used in a *lot*
> of places and so finding vulnerabilities becomes more attractive
> than for other similar software.

Agreed. Just because the MoinMoin project has openly published advisories (and 
fixed vulnerabilities) doesn't mean that it has a "poor record", or at least 
a record that is poorer than other software. I happen to be subscribed to 
notifications for MediaWiki, for example, and advisories are regularly 
published exhorting users to upgrade in order to fix various issues.

We could spend substantial effort migrating to something else without any 
guarantee of improved security and with substantial inconvenience incurred. 
As I noted on a rather tiresome thread on the PSF list, throwing everything 
out in order to do things some other, supposedly "better" way is an 
unfortunate Python community tendency that we shouldn't indulge. I also think 
that using people's software and then abandoning it (and them) when we find 
something we don't like about it, instead of offering to improve it, is 
counterproductive if not a betrayal of those people.

> I agree, though, that a security audit would probably not
> hurt :-) Perhaps they should have one of their GSoC students
> run such an audit this summer.
>
> > Whatever software we use,
> > keeping the wiki separated (e.g. in its own VM) is definitely a good
> > idea.  Anytime you allow remote users to create content the risks
> > are high.
>
> True.

I don't want to speculate on what should be done or should have been done 
because I think the MoinMoin developers do a lot of thankless work supporting 
their software so that others may freely benefit from it, but there are 
certainly measures that might be taken to reduce the risk of running this and 
other Web applications.

> Let's not overreact :-) Without the incident we would still be under
> the assumption that we have backups for everything...
>
> It also shows that we have to make a few enhancement to the way
> we do logging; but that's going to be a new thread.

I think the way forward is to be constructive and to consider how the Wiki can 
enhance what the complete python.org site offers and how we can be sure that 
it operates in a way that can be considered acceptable. If that involves 
spending time and effort on improving the software, then we should encourage 
that to happen through whatever reasonable means we have at our disposal.

Paul

More information about the pydotorg-www mailing list