From paul at boddie.org.uk Tue Sep 3 01:50:34 2013 From: paul at boddie.org.uk (Paul Boddie) Date: Tue, 3 Sep 2013 01:50:34 +0200 Subject: [pydotorg-www] Wiki Spam and Maintenance Message-ID: <201309030150.34975.paul@boddie.org.uk> Hello, I'm not sure whether anyone noticed, but for most of August I wasn't doing any Python Wiki maintenance, so I'd like to thank those people who stepped in and tried to keep the wiki free of spam. As those unfortunate people realised, removing spam can take up considerable amounts of time that could be spent on other things. Spam prevention can be a difficult trick to pull off: the MoinMoin Wiki manages to do just fine, as does the Debian Wiki, it would seem. Meanwhile, other Moin wikis struggle to deal with the deluge of Internet spam, and this presumably frustrates both users and admins alike. Consequently, I have made an attempt at elementary advice on the matter: http://sourceforge.net/mailarchive/message.php?msg_id=31345030 (I have also given advice for specific wikis in the past [*], but I have no idea whether this advice has been followed, especially given the current difficulties of such sites.) I do not feel that the right balance is being maintained between the freedom to edit the Python Wiki and the need to demand that contributors be sufficiently trustworthy and knowledgeable in order to make edits. Since the threshold to make edits once one has registered an account remains too low, spammers are able to take advantage of our generosity of spirit. It is unfortunate, then, that wiki maintainers do not enjoy the same level of accommodation enjoyed by spammers along with hypothetical wiki editors who would supposedly go to the trouble of creating a wiki account and making edits without being able to answer even the most elementary question about the nature of Python or its community. Although textcha support is enabled, we seem to be asking such casual contributors the wrong questions, and the cost of this is being borne by the wiki maintainers. I would much rather be doing other things than clean up spam that probably could have been prevented through more effective use of the available mechanisms. My time and the time of others is being wasted so that other random people can merely avoid inconvenience. I do not regard this situation as a sustainable one, nor do I regard it as an acceptable way of treating those who have taken on such responsibility voluntarily. Please can we review our anti-spam measures and implement a policy that does not take advantage of those volunteers who feel responsible for maintaining this resource? I appreciate the work done to revive and run this resource, but I feel that the patience of those maintaining it will eventually expire if something is not done about this. Thanks, Paul [*] http://www.selenic.com/pipermail/mercurial/2010-May/032464.html From mal at egenix.com Tue Sep 3 13:18:43 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Tue, 03 Sep 2013 13:18:43 +0200 Subject: [pydotorg-www] Wiki moin logs are now rotated monthly Message-ID: <5225C593.5010203@egenix.com> Since the wiki VM is rather tight on disk space, I've enabled monthly rotation of the moin event logs for all wikis. A side effect of this change is that the page visits count in moin will appear to be cleared once a month. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 03 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at python.org Tue Sep 3 14:03:39 2013 From: mal at python.org (M.-A. Lemburg) Date: Tue, 03 Sep 2013 14:03:39 +0200 Subject: [pydotorg-www] Wiki Spam and Maintenance In-Reply-To: <201309030150.34975.paul@boddie.org.uk> References: <201309030150.34975.paul@boddie.org.uk> Message-ID: <5225D01B.3000802@python.org> Hi Paul, I can understand your frustration. I've just removed several spam pages and blocked spam user accounts in both the Python and Jython wikis. I also removed some of the too easy to guess textcha questions. For the Jython wiki, I think we should consider turning off editing for new users. There simply aren't enough edits from real users (perhaps 1 or 2 a month). For the Python wiki, the textchas still appear to work reasonably well. On 03.09.2013 01:50, Paul Boddie wrote: > Hello, > > I'm not sure whether anyone noticed, but for most of August I wasn't doing any > Python Wiki maintenance, so I'd like to thank those people who stepped in and > tried to keep the wiki free of spam. As those unfortunate people realised, > removing spam can take up considerable amounts of time that could be spent on > other things. > > Spam prevention can be a difficult trick to pull off: the MoinMoin Wiki > manages to do just fine, as does the Debian Wiki, it would seem. Meanwhile, > other Moin wikis struggle to deal with the deluge of Internet spam, and this > presumably frustrates both users and admins alike. Consequently, I have made > an attempt at elementary advice on the matter: > > http://sourceforge.net/mailarchive/message.php?msg_id=31345030 > > (I have also given advice for specific wikis in the past [*], but I have no > idea whether this advice has been followed, especially given the current > difficulties of such sites.) > > I do not feel that the right balance is being maintained between the freedom > to edit the Python Wiki and the need to demand that contributors be > sufficiently trustworthy and knowledgeable in order to make edits. Since the > threshold to make edits once one has registered an account remains too low, > spammers are able to take advantage of our generosity of spirit. > > It is unfortunate, then, that wiki maintainers do not enjoy the same level of > accommodation enjoyed by spammers along with hypothetical wiki editors who > would supposedly go to the trouble of creating a wiki account and making edits > without being able to answer even the most elementary question about the > nature of Python or its community. Although textcha support is enabled, we > seem to be asking such casual contributors the wrong questions, and the cost > of this is being borne by the wiki maintainers. > > I would much rather be doing other things than clean up spam that probably > could have been prevented through more effective use of the available > mechanisms. My time and the time of others is being wasted so that other > random people can merely avoid inconvenience. I do not regard this situation > as a sustainable one, nor do I regard it as an acceptable way of treating > those who have taken on such responsibility voluntarily. > > Please can we review our anti-spam measures and implement a policy that does > not take advantage of those volunteers who feel responsible for maintaining > this resource? I appreciate the work done to revive and run this resource, but > I feel that the patience of those maintaining it will eventually expire if > something is not done about this. > > Thanks, > > Paul > > [*] http://www.selenic.com/pipermail/mercurial/2010-May/032464.html > _______________________________________________ > pydotorg-www mailing list > pydotorg-www at python.org > http://mail.python.org/mailman/listinfo/pydotorg-www > -- Marc-Andre Lemburg Director Python Software Foundation http://www.python.org/psf/ From mal at egenix.com Tue Sep 3 16:49:49 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Tue, 03 Sep 2013 16:49:49 +0200 Subject: [pydotorg-www] Removed wiki attack banners Message-ID: <5225F70D.6010201@egenix.com> Since the HTTPS redirect are now mostly working (there are still some details to be worked out), I've removed the wiki banners about the attack and instead added a section to the front pages of the Python and Jython wikis. It's a good idea to change the passwords on the wikis now, since clear text passwords are just too easy to sniff at conferences. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 03 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Wed Sep 4 22:16:41 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Wed, 04 Sep 2013 22:16:41 +0200 Subject: [pydotorg-www] Removed wiki attack banners In-Reply-To: <5225F70D.6010201@egenix.com> References: <5225F70D.6010201@egenix.com> Message-ID: <52279529.6080205@egenix.com> On 03.09.2013 16:49, M.-A. Lemburg wrote: > Since the HTTPS redirect are now mostly working (there are still some > details to be worked out), I've removed the wiki banners about the > attack and instead added a section to the front pages of the Python > and Jython wikis. > > It's a good idea to change the passwords on the wikis now, since > clear text passwords are just too easy to sniff at conferences. Update: The HTTPS config changes have now been put in place and HSTS is now also enabled for the wikis: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security (allowing redirects to happen on the client side, if the browser supports HSTS) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 04 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Wed Sep 4 22:26:51 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Wed, 04 Sep 2013 22:26:51 +0200 Subject: [pydotorg-www] Removed wiki attack banners In-Reply-To: <52279529.6080205@egenix.com> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> Message-ID: <5227978B.5020700@egenix.com> On 04.09.2013 22:16, M.-A. Lemburg wrote: > On 03.09.2013 16:49, M.-A. Lemburg wrote: >> Since the HTTPS redirect are now mostly working (there are still some >> details to be worked out), I've removed the wiki banners about the >> attack and instead added a section to the front pages of the Python >> and Jython wikis. >> >> It's a good idea to change the passwords on the wikis now, since >> clear text passwords are just too easy to sniff at conferences. > > Update: The HTTPS config changes have now been put in place and > > HSTS is now also enabled for the wikis: > > http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > > (allowing redirects to happen on the client side, if the browser > supports HSTS) I've submitted an HSTS preload list entry request to Google for inclusion in their list: https://sites.google.com/a/chromium.org/dev/sts https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json Firefox bases its list on Google's, so hopefully wiki.python.org will end up there as well in a few weeks: http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 04 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Thu Sep 5 18:06:13 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 05 Sep 2013 18:06:13 +0200 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <5227978B.5020700@egenix.com> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> Message-ID: <5228ABF5.8000101@egenix.com> On 04.09.2013 22:26, M.-A. Lemburg wrote: > On 04.09.2013 22:16, M.-A. Lemburg wrote: >> On 03.09.2013 16:49, M.-A. Lemburg wrote: >>> Since the HTTPS redirect are now mostly working (there are still some >>> details to be worked out), I've removed the wiki banners about the >>> attack and instead added a section to the front pages of the Python >>> and Jython wikis. >>> >>> It's a good idea to change the passwords on the wikis now, since >>> clear text passwords are just too easy to sniff at conferences. >> >> Update: The HTTPS config changes have now been put in place and >> >> HSTS is now also enabled for the wikis: >> >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >> >> (allowing redirects to happen on the client side, if the browser >> supports HSTS) > > I've submitted an HSTS preload list entry request to Google for > inclusion in their list: > > https://sites.google.com/a/chromium.org/dev/sts > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > Firefox bases its list on Google's, so hopefully wiki.python.org > will end up there as well in a few weeks: > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List This is added now: http://src.chromium.org/viewvc/chrome?revision=221431&view=revision It'll appear in Chrome after the usual product development cycles. Not sure how often Mozilla updates their list. Donald: You might want to add pypi.python.org to the HSTS list as well. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 05 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go 2013-09-28: PyDDF Sprint ... 23 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From techtonik at gmail.com Thu Sep 5 21:58:46 2013 From: techtonik at gmail.com (anatoly techtonik) Date: Thu, 5 Sep 2013 22:58:46 +0300 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <5228ABF5.8000101@egenix.com> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: On Thu, Sep 5, 2013 at 7:06 PM, M.-A. Lemburg wrote: > On 04.09.2013 22:26, M.-A. Lemburg wrote: >> On 04.09.2013 22:16, M.-A. Lemburg wrote: >>> On 03.09.2013 16:49, M.-A. Lemburg wrote: >>>> Since the HTTPS redirect are now mostly working (there are still some >>>> details to be worked out), I've removed the wiki banners about the >>>> attack and instead added a section to the front pages of the Python >>>> and Jython wikis. >>>> >>>> It's a good idea to change the passwords on the wikis now, since >>>> clear text passwords are just too easy to sniff at conferences. >>> >>> Update: The HTTPS config changes have now been put in place and >>> >>> HSTS is now also enabled for the wikis: >>> >>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >>> >>> (allowing redirects to happen on the client side, if the browser >>> supports HSTS) >> >> I've submitted an HSTS preload list entry request to Google for >> inclusion in their list: >> >> https://sites.google.com/a/chromium.org/dev/sts >> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json >> >> Firefox bases its list on Google's, so hopefully wiki.python.org >> will end up there as well in a few weeks: >> >> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ >> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > This is added now: > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > It'll appear in Chrome after the usual product development > cycles. Not sure how often Mozilla updates their list. > > Donald: You might want to add pypi.python.org to the HSTS > list as well. All of the above is very good news indeed. =) -- anatoly t. From leah at numfocus.org Fri Sep 6 00:07:45 2013 From: leah at numfocus.org (Leah Silen) Date: Thu, 5 Sep 2013 17:07:45 -0500 Subject: [pydotorg-www] Conference to add Message-ID: <055920AF-0F6C-481C-91C5-C26F3992266B@pydata.org> Can you please add PyData to the conference list? http://pydata.org/ Thanks!! -------------- next part -------------- An HTML attachment was scrubbed... URL: From mal at egenix.com Fri Sep 6 10:21:34 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 06 Sep 2013 10:21:34 +0200 Subject: [pydotorg-www] Conference to add In-Reply-To: <055920AF-0F6C-481C-91C5-C26F3992266B@pydata.org> References: <055920AF-0F6C-481C-91C5-C26F3992266B@pydata.org> Message-ID: <5229908E.9010505@egenix.com> Hi Leah, are you referring to this listing: http://python.org/community/workshops/ ? Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 06 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 2013-09-20: PyCon UK 2013, Coventry, UK ... 14 days to go 2013-09-28: PyDDF Sprint ... 22 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ On 06.09.2013 00:07, Leah Silen wrote: > Can you please add PyData to the conference list? > > http://pydata.org/ > > Thanks!! > > > > _______________________________________________ > pydotorg-www mailing list > pydotorg-www at python.org > https://mail.python.org/mailman/listinfo/pydotorg-www > From noah at coderanger.net Sat Sep 7 09:01:37 2013 From: noah at coderanger.net (Noah Kantrowitz) Date: Sat, 7 Sep 2013 00:01:37 -0700 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: I would sooner burn the entire PSF infra than compromise our key integrity (if you are worried about government intrusions). Every person that has ever had access to our key material I trust personally (the list is quite small). Given that, PFS doesn't buy us a whole lot unless someone was able to steal the private key(s) without our knowledge and while every step I can think has been taken to prevent this, I can never fully rule it out. That said, now that Fastly handles the vast bulk of SSL terminations, we can probably look at this without risk of overloading the servers :-) (corollary, Fastly doesn't offer ECC for exactly the same reasons we aren't, nor would I expect this to change in the near future) --Noah On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote: > Any chance we could change the default preferred ciphers? > > currently sslscan shows (complete with a misspelling): > > Prefered Server Cipher(s): > SSLv3 128 bits RC4-SHA > TLSv1 128 bits RC4-SHA > > for wiki.python.org et al? > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to do for the web. > > ie it'd be great to see: > > Prefered Server Cipher(s): > SSLv3 128 bits ECDHE-RSA-RC4-SHA > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > -gps > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg wrote: > On 04.09.2013 22:26, M.-A. Lemburg wrote: > > On 04.09.2013 22:16, M.-A. Lemburg wrote: > >> On 03.09.2013 16:49, M.-A. Lemburg wrote: > >>> Since the HTTPS redirect are now mostly working (there are still some > >>> details to be worked out), I've removed the wiki banners about the > >>> attack and instead added a section to the front pages of the Python > >>> and Jython wikis. > >>> > >>> It's a good idea to change the passwords on the wikis now, since > >>> clear text passwords are just too easy to sniff at conferences. > >> > >> Update: The HTTPS config changes have now been put in place and > >> > >> HSTS is now also enabled for the wikis: > >> > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > >> > >> (allowing redirects to happen on the client side, if the browser > >> supports HSTS) > > > > I've submitted an HSTS preload list entry request to Google for > > inclusion in their list: > > > > https://sites.google.com/a/chromium.org/dev/sts > > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > > > Firefox bases its list on Google's, so hopefully wiki.python.org > > will end up there as well in a few weeks: > > > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > This is added now: > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > It'll appear in Chrome after the usual product development > cycles. Not sure how often Mozilla updates their list. > > Donald: You might want to add pypi.python.org to the HSTS > list as well. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Sep 05 2013) > >>> Python Projects, Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 > 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > 2013-09-28: PyDDF Sprint ... 23 days to go > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > ________________________________________________ > Infrastructure mailing list > Infrastructure at python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > > ________________________________________________ > Infrastructure mailing list > Infrastructure at python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mal at egenix.com Sat Sep 7 12:41:31 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Sat, 07 Sep 2013 12:41:31 +0200 Subject: [pydotorg-www] [Infrastructure] SSL support (was: Removed wiki attack banners) In-Reply-To: References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: <522B02DB.1000103@egenix.com> Hmm, according to SSLLabs, DHE is not used by browsers for wiki.python.org: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org Note that ECs are not widely supported, so using those is not such a good idea. Moving away from the ancient RC4 is, though, esp. if TLS 1.2 is available: https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what TLS_DHE_RSA_WITH_AES_256_CBC_SHA would be better as default first choice for SSL. Not sure whether this is worth fixing for the public wikis, but once we're starting to host things like e-voting on the OSL infra structure, this may become more important. Background info: DHE causes the session key to be negotiated between server and client without actually sending key data over the wire. As a result, getting at the session key by looking at a recorded SSL session is really hard, even if you know the server's private key. Without DHE, it is easily possible to recreate the session key, provided you know the server's private key and have a recording for the SSL handshake. That's where the term "forward secrecy" comes from - future loss of a private key doesn't result in all recorded SSL sessions to suddenly become easily decipherable. On 07.09.2013 08:39, Gregory P. Smith wrote: > Any chance we could change the default preferred ciphers? > > currently sslscan shows (complete with a misspelling): > > Prefered Server Cipher(s): > SSLv3 128 bits RC4-SHA > TLSv1 128 bits RC4-SHA > > for wiki.python.org et al? > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to > do for the web. > > ie it'd be great to see: > > Prefered Server Cipher(s): > SSLv3 128 bits ECDHE-RSA-RC4-SHA > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > -gps > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg wrote: > >> On 04.09.2013 22:26, M.-A. Lemburg wrote: >>> On 04.09.2013 22:16, M.-A. Lemburg wrote: >>>> On 03.09.2013 16:49, M.-A. Lemburg wrote: >>>>> Since the HTTPS redirect are now mostly working (there are still some >>>>> details to be worked out), I've removed the wiki banners about the >>>>> attack and instead added a section to the front pages of the Python >>>>> and Jython wikis. >>>>> >>>>> It's a good idea to change the passwords on the wikis now, since >>>>> clear text passwords are just too easy to sniff at conferences. >>>> >>>> Update: The HTTPS config changes have now been put in place and >>>> >>>> HSTS is now also enabled for the wikis: >>>> >>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >>>> >>>> (allowing redirects to happen on the client side, if the browser >>>> supports HSTS) >>> >>> I've submitted an HSTS preload list entry request to Google for >>> inclusion in their list: >>> >>> https://sites.google.com/a/chromium.org/dev/sts >>> >> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json >>> >>> Firefox bases its list on Google's, so hopefully wiki.python.org >>> will end up there as well in a few weeks: >>> >>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ >>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List >> >> This is added now: >> >> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision >> >> It'll appear in Chrome after the usual product development >> cycles. Not sure how often Mozilla updates their list. >> >> Donald: You might want to add pypi.python.org to the HSTS >> list as well. >> >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source (#1, Sep 05 2013) >>>>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 >> 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go >> 2013-09-28: PyDDF Sprint ... 23 days to go >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> ________________________________________________ >> Infrastructure mailing list >> Infrastructure at python.org >> https://mail.python.org/mailman/listinfo/infrastructure >> Unsubscribe: >> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org >> > From greg at krypto.org Sat Sep 7 08:39:23 2013 From: greg at krypto.org (Gregory P. Smith) Date: Fri, 6 Sep 2013 23:39:23 -0700 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <5228ABF5.8000101@egenix.com> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: Any chance we could change the default preferred ciphers? currently sslscan shows (complete with a misspelling): Prefered Server Cipher(s): SSLv3 128 bits RC4-SHA TLSv1 128 bits RC4-SHA for wiki.python.org et al? Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to do for the web. ie it'd be great to see: Prefered Server Cipher(s): SSLv3 128 bits ECDHE-RSA-RC4-SHA TLSv1 128 bits ECDHE-RSA-RC4-SHA http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html -gps On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg wrote: > On 04.09.2013 22:26, M.-A. Lemburg wrote: > > On 04.09.2013 22:16, M.-A. Lemburg wrote: > >> On 03.09.2013 16:49, M.-A. Lemburg wrote: > >>> Since the HTTPS redirect are now mostly working (there are still some > >>> details to be worked out), I've removed the wiki banners about the > >>> attack and instead added a section to the front pages of the Python > >>> and Jython wikis. > >>> > >>> It's a good idea to change the passwords on the wikis now, since > >>> clear text passwords are just too easy to sniff at conferences. > >> > >> Update: The HTTPS config changes have now been put in place and > >> > >> HSTS is now also enabled for the wikis: > >> > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > >> > >> (allowing redirects to happen on the client side, if the browser > >> supports HSTS) > > > > I've submitted an HSTS preload list entry request to Google for > > inclusion in their list: > > > > https://sites.google.com/a/chromium.org/dev/sts > > > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > > > Firefox bases its list on Google's, so hopefully wiki.python.org > > will end up there as well in a few weeks: > > > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > This is added now: > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > It'll appear in Chrome after the usual product development > cycles. Not sure how often Mozilla updates their list. > > Donald: You might want to add pypi.python.org to the HSTS > list as well. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Sep 05 2013) > >>> Python Projects, Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 > 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > 2013-09-28: PyDDF Sprint ... 23 days to go > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > ________________________________________________ > Infrastructure mailing list > Infrastructure at python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From greg at krypto.org Sat Sep 7 20:18:54 2013 From: greg at krypto.org (Gregory P. Smith) Date: Sat, 7 Sep 2013 11:18:54 -0700 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: On Sat, Sep 7, 2013 at 12:01 AM, Noah Kantrowitz wrote: > I would sooner burn the entire PSF infra than compromise our key integrity > (if you are worried about government intrusions). Every person that has > ever had access to our key material I trust personally (the list is quite > small). Given that, PFS doesn't buy us a whole lot unless someone was able > to steal the private key(s) without our knowledge and while every step I > can think has been taken to prevent this, I can never fully rule it out. > That said, now that Fastly handles the vast bulk of SSL terminations, we > can probably look at this without risk of overloading the servers :-) > (corollary, Fastly doesn't offer ECC for exactly the same reasons we > aren't, nor would I expect this to change in the near future) > I'm not worried about anything. I was just wondering if we could follow the best practices on the web to set a good example. But since I'm not doing the work I'll just shutup. :) > > --Noah > > On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote: > > > Any chance we could change the default preferred ciphers? > > > > currently sslscan shows (complete with a misspelling): > > > > Prefered Server Cipher(s): > > SSLv3 128 bits RC4-SHA > > TLSv1 128 bits RC4-SHA > > > > for wiki.python.org et al? > > > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing > to do for the web. > > > > ie it'd be great to see: > > > > Prefered Server Cipher(s): > > SSLv3 128 bits ECDHE-RSA-RC4-SHA > > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > > > -gps > > > > > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg wrote: > > On 04.09.2013 22:26, M.-A. Lemburg wrote: > > > On 04.09.2013 22:16, M.-A. Lemburg wrote: > > >> On 03.09.2013 16:49, M.-A. Lemburg wrote: > > >>> Since the HTTPS redirect are now mostly working (there are still some > > >>> details to be worked out), I've removed the wiki banners about the > > >>> attack and instead added a section to the front pages of the Python > > >>> and Jython wikis. > > >>> > > >>> It's a good idea to change the passwords on the wikis now, since > > >>> clear text passwords are just too easy to sniff at conferences. > > >> > > >> Update: The HTTPS config changes have now been put in place and > > >> > > >> HSTS is now also enabled for the wikis: > > >> > > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > > >> > > >> (allowing redirects to happen on the client side, if the browser > > >> supports HSTS) > > > > > > I've submitted an HSTS preload list entry request to Google for > > > inclusion in their list: > > > > > > https://sites.google.com/a/chromium.org/dev/sts > > > > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > > > > > Firefox bases its list on Google's, so hopefully wiki.python.org > > > will end up there as well in a few weeks: > > > > > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > > > This is added now: > > > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > > > It'll appear in Chrome after the usual product development > > cycles. Not sure how often Mozilla updates their list. > > > > Donald: You might want to add pypi.python.org to the HSTS > > list as well. > > > > -- > > Marc-Andre Lemburg > > eGenix.com > > > > Professional Python Services directly from the Source (#1, Sep 05 2013) > > >>> Python Projects, Consulting and Support ... http://www.egenix.com/ > > >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > > ________________________________________________________________________ > > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 > > 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > > 2013-09-28: PyDDF Sprint ... 23 days to go > > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > > Registered at Amtsgericht Duesseldorf: HRB 46611 > > http://www.egenix.com/company/contact/ > > ________________________________________________ > > Infrastructure mailing list > > Infrastructure at python.org > > https://mail.python.org/mailman/listinfo/infrastructure > > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > > > > ________________________________________________ > > Infrastructure mailing list > > Infrastructure at python.org > > https://mail.python.org/mailman/listinfo/infrastructure > > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From greg at krypto.org Sat Sep 7 20:25:52 2013 From: greg at krypto.org (Gregory P. Smith) Date: Sat, 7 Sep 2013 11:25:52 -0700 Subject: [pydotorg-www] [Infrastructure] SSL support (was: Removed wiki attack banners) In-Reply-To: <522B02DB.1000103@egenix.com> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> <522B02DB.1000103@egenix.com> Message-ID: On Sat, Sep 7, 2013 at 3:41 AM, M.-A. Lemburg wrote: > Hmm, according to SSLLabs, DHE is not used by browsers > for wiki.python.org: > > https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org > > Note that ECs are not widely supported, so using those is not > such a good idea. Moving away from the ancient RC4 is, though, > esp. if TLS 1.2 is available: > > > https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA would be better as default > first choice for SSL. > > Not sure whether this is worth fixing for the public wikis, > but once we're starting to host things like e-voting on the > OSL infra structure, this may become more important. > > Background info: DHE causes the session key to be > negotiated between server and client without actually sending > key data over the wire. As a result, getting at the session > key by looking at a recorded SSL session is really hard, even > if you know the server's private key. Without DHE, it is easily > possible to recreate the session key, provided you know the > server's private key and have a recording for the SSL handshake. > That's where the term "forward secrecy" comes from - future loss > of a private key doesn't result in all recorded SSL sessions to > suddenly become easily decipherable. > Oh I wouldn't say its really worth much either at least as far as our services go. But FWIW, Chrome and Firefox both happily support perfect forward secrecy ciphers (DHE). http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html Google and Facebook both use it and others are sure to follow out of embarrassment: https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection I agree that it does not really matter for us. Just falls into a "oh by the way, this would be nice" category if someone configuring things wants to spend time learning how to set it up. Make a blog post out of it if you do. :) -gps > > On 07.09.2013 08:39, Gregory P. Smith wrote: > > Any chance we could change the default preferred ciphers? > > > > currently sslscan shows (complete with a misspelling): > > > > Prefered Server Cipher(s): > > SSLv3 128 bits RC4-SHA > > TLSv1 128 bits RC4-SHA > > > > for wiki.python.org et al? > > > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to > > do for the web. > > > > ie it'd be great to see: > > > > Prefered Server Cipher(s): > > SSLv3 128 bits ECDHE-RSA-RC4-SHA > > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > > > -gps > > > > > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg wrote: > > > >> On 04.09.2013 22:26, M.-A. Lemburg wrote: > >>> On 04.09.2013 22:16, M.-A. Lemburg wrote: > >>>> On 03.09.2013 16:49, M.-A. Lemburg wrote: > >>>>> Since the HTTPS redirect are now mostly working (there are still some > >>>>> details to be worked out), I've removed the wiki banners about the > >>>>> attack and instead added a section to the front pages of the Python > >>>>> and Jython wikis. > >>>>> > >>>>> It's a good idea to change the passwords on the wikis now, since > >>>>> clear text passwords are just too easy to sniff at conferences. > >>>> > >>>> Update: The HTTPS config changes have now been put in place and > >>>> > >>>> HSTS is now also enabled for the wikis: > >>>> > >>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > >>>> > >>>> (allowing redirects to happen on the client side, if the browser > >>>> supports HSTS) > >>> > >>> I've submitted an HSTS preload list entry request to Google for > >>> inclusion in their list: > >>> > >>> https://sites.google.com/a/chromium.org/dev/sts > >>> > >> > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > >>> > >>> Firefox bases its list on Google's, so hopefully wiki.python.org > >>> will end up there as well in a few weeks: > >>> > >>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > >>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > >> > >> This is added now: > >> > >> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > >> > >> It'll appear in Chrome after the usual product development > >> cycles. Not sure how often Mozilla updates their list. > >> > >> Donald: You might want to add pypi.python.org to the HSTS > >> list as well. > >> > >> -- > >> Marc-Andre Lemburg > >> eGenix.com > >> > >> Professional Python Services directly from the Source (#1, Sep 05 2013) > >>>>> Python Projects, Consulting and Support ... http://www.egenix.com/ > >>>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > >> ________________________________________________________________________ > >> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... > http://egenix.com/go48 > >> 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > >> 2013-09-28: PyDDF Sprint ... 23 days to go > >> > >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > >> Registered at Amtsgericht Duesseldorf: HRB 46611 > >> http://www.egenix.com/company/contact/ > >> ________________________________________________ > >> Infrastructure mailing list > >> Infrastructure at python.org > >> https://mail.python.org/mailman/listinfo/infrastructure > >> Unsubscribe: > >> > https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald at stufft.io Sat Sep 7 20:52:54 2013 From: donald at stufft.io (Donald Stufft) Date: Sat, 7 Sep 2013 14:52:54 -0400 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: <73A66911-83A3-4DAC-850F-5DEFF8457072@stufft.io> On Sep 7, 2013, at 2:18 PM, "Gregory P. Smith" wrote: > I'm not worried about anything. I was just wondering if we could follow the best practices on the web to set a good example. But since I'm not doing the work I'll just shutup. :) I just deployed: https://github.com/python/psf-chef/pull/50 Looks like we didn't get PSF from it though, probably our OpenSSL is too old. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From donald at stufft.io Sat Sep 7 20:55:25 2013 From: donald at stufft.io (Donald Stufft) Date: Sat, 7 Sep 2013 14:55:25 -0400 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <73A66911-83A3-4DAC-850F-5DEFF8457072@stufft.io> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> <73A66911-83A3-4DAC-850F-5DEFF8457072@stufft.io> Message-ID: <0159028F-CB5F-4DEB-84AD-E23EED0FF43F@stufft.io> On Sep 7, 2013, at 2:52 PM, Donald Stufft wrote: > > On Sep 7, 2013, at 2:18 PM, "Gregory P. Smith" wrote: > >> I'm not worried about anything. I was just wondering if we could follow the best practices on the web to set a good example. But since I'm not doing the work I'll just shutup. :) > > I just deployed: https://github.com/python/psf-chef/pull/50 > > Looks like we didn't get PSF from it though, probably our OpenSSL is too old. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ________________________________________________ > Infrastructure mailing list > Infrastructure at python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: https://mail.python.org/mailman/options/infrastructure/donald%40stufft.io Hm, or maybe stud doesn't support the + syntax ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From donald at stufft.io Sat Sep 7 21:26:24 2013 From: donald at stufft.io (Donald Stufft) Date: Sat, 7 Sep 2013 15:26:24 -0400 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <0159028F-CB5F-4DEB-84AD-E23EED0FF43F@stufft.io> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> <73A66911-83A3-4DAC-850F-5DEFF8457072@stufft.io> <0159028F-CB5F-4DEB-84AD-E23EED0FF43F@stufft.io> Message-ID: <8821DC51-E8CC-4EF0-A2F3-E464D1CF035D@stufft.io> Actually it appears we need to do https://github.com/bumptech/stud#diffiehellman to get EDH working, that should then enable PFS. On Sep 7, 2013, at 2:55 PM, Donald Stufft wrote: > > On Sep 7, 2013, at 2:52 PM, Donald Stufft wrote: > >> >> On Sep 7, 2013, at 2:18 PM, "Gregory P. Smith" wrote: >> >>> I'm not worried about anything. I was just wondering if we could follow the best practices on the web to set a good example. But since I'm not doing the work I'll just shutup. :) >> >> I just deployed: https://github.com/python/psf-chef/pull/50 >> >> Looks like we didn't get PSF from it though, probably our OpenSSL is too old. >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> ________________________________________________ >> Infrastructure mailing list >> Infrastructure at python.org >> https://mail.python.org/mailman/listinfo/infrastructure >> Unsubscribe: https://mail.python.org/mailman/options/infrastructure/donald%40stufft.io > > > Hm, or maybe stud doesn't support the + syntax > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ________________________________________________ > Infrastructure mailing list > Infrastructure at python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: https://mail.python.org/mailman/options/infrastructure/donald%40stufft.io ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From donald at stufft.io Sat Sep 7 22:01:10 2013 From: donald at stufft.io (Donald Stufft) Date: Sat, 7 Sep 2013 16:01:10 -0400 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> Message-ID: <999D6B50-3B92-4E9E-9558-624470A4CB94@stufft.io> On Sep 7, 2013, at 2:39 AM, Gregory P. Smith wrote: > Any chance we could change the default preferred ciphers? https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mal at egenix.com Sun Sep 8 17:14:44 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Sun, 08 Sep 2013 17:14:44 +0200 Subject: [pydotorg-www] [Infrastructure] Removed wiki attack banners In-Reply-To: <999D6B50-3B92-4E9E-9558-624470A4CB94@stufft.io> References: <5225F70D.6010201@egenix.com> <52279529.6080205@egenix.com> <5227978B.5020700@egenix.com> <5228ABF5.8000101@egenix.com> <999D6B50-3B92-4E9E-9558-624470A4CB94@stufft.io> Message-ID: <522C9464.1070707@egenix.com> On 07.09.2013 22:01, Donald Stufft wrote: > > On Sep 7, 2013, at 2:39 AM, Gregory P. Smith wrote: > >> Any chance we could change the default preferred ciphers? > > > https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org Thanks, Donald. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 08 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 2013-09-20: PyCon UK 2013, Coventry, UK ... 12 days to go 2013-09-28: PyDDF Sprint ... 20 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Mon Sep 9 14:00:47 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Mon, 09 Sep 2013 14:00:47 +0200 Subject: [pydotorg-www] [psf-trademarks] Python Shirts In-Reply-To: References: <16E2ABB3-3337-4CA2-90C8-5836D4818EE3@gmail.com> <8DE78A82-C58A-4285-AA70-F3ECC0F41A40@gnosis.cx> <01C1F142-1BB8-4BA1-98C0-FFC5D2B755E5@gmail.com> Message-ID: <522DB86F.8080402@egenix.com> Hi David, I've added both Python Gear and Elegant Stitches to the page. The update should appear within an hour or so. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 09 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 2013-09-20: PyCon UK 2013, Coventry, UK ... 11 days to go 2013-09-28: PyDDF Sprint ... 19 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ On 31.07.2013 02:17, David Mertz wrote: > Hi Web Folks, > > The PSF Trademarks Committee has set a policy to start including blurbs for > authorized merchants who use our trademark. FWIW, part of this agreement > is for them to make donations if their sales exceed $1000 on said > merchandise. > > Please add Python Gear to http://www.python.org/community/merchandise/ > including > the blurb Austin provides and his logo attached here. > > Yours, David Mertz > Chair, PSF TC > Director of the PSF > etc. > > > >> On Tue, Jul 2, 2013 at 9:48 PM, Austin Gabel wrote: >> >>> Thanks for clearing that up for me. I think that arrangement is more >>> than fair. Here is what I would like to put on the merchandise page. >>> >>> "Look your best and show off your Python pride with T-Shirts and other >>> merchandise from PythonGear.com. Located in Kansas, and ready to ship your >>> new threads anywhere in the US." >>> >>> And please add my logo along with it. >>> [image: Inline image 1] >>> >>> Thank you very much >>> Austin Gabel >>> >> >> >> >> _______________________________________________ >> pydotorg-www mailing list >> pydotorg-www at python.org >> http://mail.python.org/mailman/listinfo/pydotorg-www From mal at egenix.com Fri Sep 13 09:43:12 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 13 Sep 2013 09:43:12 +0200 Subject: [pydotorg-www] =?windows-1252?q?Vulnerability_Alert_=96_OpenID_2?= =?windows-1252?q?=2E0_Implementations_Vulnerabilities_found_in_some_OPs_?= =?windows-1252?q?=7C_OpenID?= Message-ID: <5232C210.1070301@egenix.com> Not sure whether this is relevant for the python.org infrastructure, but since we're using OpenID for some parts, it may be worth a look: http://openid.net/2013/08/15/vulnerability-alert-openid-2-0-implementations-vulnerabilities-found-in-some-ops/ AFAIK, PyPI can be used as OP, but it's not implementing OpenID 2.0. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 13 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-11: Released eGenix PyRun 1.3.0 ... http://egenix.com/go49 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 2013-09-20: PyCon UK 2013, Coventry, UK ... 7 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From michael at voidspace.org.uk Mon Sep 16 22:15:22 2013 From: michael at voidspace.org.uk (Michael Foord) Date: Mon, 16 Sep 2013 21:15:22 +0100 Subject: [pydotorg-www] Fix a link to source code In-Reply-To: References: Message-ID: <98F855EC-1027-46A2-AAD3-ED0F3AEBCEA8@voidspace.org.uk> On 25 Jul 2013, at 12:48, anatoly techtonik wrote: > http://www.python.org/getit/source/ > > Searching "python source" gives this page. Would be nice to see link > to repository browser here until new site is ready. Done (belatedly). Michael > -- > anatoly t. > _______________________________________________ > pydotorg-www mailing list > pydotorg-www at python.org > http://mail.python.org/mailman/listinfo/pydotorg-www -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html From techtonik at gmail.com Sun Sep 22 14:22:12 2013 From: techtonik at gmail.com (anatoly techtonik) Date: Sun, 22 Sep 2013 15:22:12 +0300 Subject: [pydotorg-www] [Infrastructure] Wiki moin logs are now rotated monthly In-Reply-To: <5225C593.5010203@egenix.com> References: <5225C593.5010203@egenix.com> Message-ID: On Tue, Sep 3, 2013 at 2:18 PM, M.-A. Lemburg wrote: > Since the wiki VM is rather tight on disk space, I've enabled monthly > rotation of the moin event logs for all wikis. > > A side effect of this change is that the page visits count in > moin will appear to be cleared once a month. > Are there some public stats about wiki page popularity? -- anatoly t. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mal at egenix.com Mon Sep 23 11:12:28 2013 From: mal at egenix.com (M.-A. Lemburg) Date: Mon, 23 Sep 2013 11:12:28 +0200 Subject: [pydotorg-www] [Infrastructure] Wiki moin logs are now rotated monthly In-Reply-To: References: <5225C593.5010203@egenix.com> Message-ID: <524005FC.4010001@egenix.com> On 22.09.2013 14:22, anatoly techtonik wrote: > On Tue, Sep 3, 2013 at 2:18 PM, M.-A. Lemburg wrote: > >> Since the wiki VM is rather tight on disk space, I've enabled monthly >> rotation of the moin event logs for all wikis. >> >> A side effect of this change is that the page visits count in >> moin will appear to be cleared once a month. >> > > Are there some public stats about wiki page popularity? No. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 23 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-09-11: Released eGenix PyRun 1.3.0 ... http://egenix.com/go49 2013-09-28: PyDDF Sprint ... 5 days to go 2013-10-14: PyCon DE 2013, Cologne, Germany ... 21 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From techtonik at gmail.com Mon Sep 23 12:30:34 2013 From: techtonik at gmail.com (anatoly techtonik) Date: Mon, 23 Sep 2013 13:30:34 +0300 Subject: [pydotorg-www] [Infrastructure] Wiki moin logs are now rotated monthly In-Reply-To: <524005FC.4010001@egenix.com> References: <5225C593.5010203@egenix.com> <524005FC.4010001@egenix.com> Message-ID: On Mon, Sep 23, 2013 at 12:12 PM, M.-A. Lemburg wrote: > On 22.09.2013 14:22, anatoly techtonik wrote: > > On Tue, Sep 3, 2013 at 2:18 PM, M.-A. Lemburg wrote: > > > >> Since the wiki VM is rather tight on disk space, I've enabled monthly > >> rotation of the moin event logs for all wikis. > >> > >> A side effect of this change is that the page visits count in > >> moin will appear to be cleared once a month. > >> > > > > Are there some public stats about wiki page popularity? > > No. Then by disabling those logs you'll shut down wiki stats for measuring its effectiveness. -- anatoly t. -------------- next part -------------- An HTML attachment was scrubbed... URL: From myselfasunder at gmail.com Wed Sep 25 21:19:38 2013 From: myselfasunder at gmail.com (Dustin Oprea) Date: Wed, 25 Sep 2013 15:19:38 -0400 Subject: [pydotorg-www] PyPI Wordpress iframe/Widget Message-ID: I'd like to throw-together a little website widget that displays how many downloads one or more PyPI projects are getting. I'd then like to wrap it in a modest WordPress plugin. I could do it in Javascript that directly scrapes the requested PyPI page(s), but then it's be scraping PyPI from every page it's used, on every pageload. It be costly to PyPI, and have a delay on the webpage. If I write a small service endpoint, I could cache all of the information and lower the traffic burden, and decrease the load time. I'll only do this if I can I host the service endpoint on python.org, though. Would I be able to? Dustin Oprea (http://dustinoprea.com/) -------------- next part -------------- An HTML attachment was scrubbed... URL: From noah at coderanger.net Wed Sep 25 21:53:32 2013 From: noah at coderanger.net (Noah Kantrowitz) Date: Wed, 25 Sep 2013 14:53:32 -0500 Subject: [pydotorg-www] PyPI Wordpress iframe/Widget In-Reply-To: References: Message-ID: <115BA750-43F8-4A53-9D56-043FB31E0431@coderanger.net> Download counts per file are available in the JSON output (ex. https://pypi.python.org/pypi/Django/1.5.4/json), maybe if you offer Donald some new beer or something he can add the package-level rolling counts too. --Noah On Sep 25, 2013, at 2:19 PM, Dustin Oprea wrote: > I'd like to throw-together a little website widget that displays how many downloads one or more PyPI projects are getting. I'd then like to wrap it in a modest WordPress plugin. > > > I could do it in Javascript that directly scrapes the requested PyPI page(s), but then it's be scraping PyPI from every page it's used, on every pageload. It be costly to PyPI, and have a delay on the webpage. If I write a small service endpoint, I could cache all of the information and lower the traffic burden, and decrease the load time. > > I'll only do this if I can I host the service endpoint on python.org, though. Would I be able to? > > > Dustin Oprea (http://dustinoprea.com/) > _______________________________________________ > pydotorg-www mailing list > pydotorg-www at python.org > https://mail.python.org/mailman/listinfo/pydotorg-www -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From myselfasunder at gmail.com Wed Sep 25 21:58:26 2013 From: myselfasunder at gmail.com (Dustin Oprea) Date: Wed, 25 Sep 2013 15:58:26 -0400 Subject: [pydotorg-www] PyPI Wordpress iframe/Widget In-Reply-To: <115BA750-43F8-4A53-9D56-043FB31E0431@coderanger.net> References: <115BA750-43F8-4A53-9D56-043FB31E0431@coderanger.net> Message-ID: If by "package level" you mean similar counts to what's currently visible on the standard download page, then I'd be happy to leave an envelope of cash in a drop somewhere, to whatever end... On Wed, Sep 25, 2013 at 3:53 PM, Noah Kantrowitz wrote: > Download counts per file are available in the JSON output (ex. > https://pypi.python.org/pypi/Django/1.5.4/json), maybe if you offer > Donald some new beer or something he can add the package-level rolling > counts too. > > --Noah > > On Sep 25, 2013, at 2:19 PM, Dustin Oprea wrote: > > > I'd like to throw-together a little website widget that displays how > many downloads one or more PyPI projects are getting. I'd then like to wrap > it in a modest WordPress plugin. > > > > > > I could do it in Javascript that directly scrapes the requested PyPI > page(s), but then it's be scraping PyPI from every page it's used, on every > pageload. It be costly to PyPI, and have a delay on the webpage. If I write > a small service endpoint, I could cache all of the information and lower > the traffic burden, and decrease the load time. > > > > I'll only do this if I can I host the service endpoint on python.org, > though. Would I be able to? > > > > > > Dustin Oprea (http://dustinoprea.com/) > > _______________________________________________ > > pydotorg-www mailing list > > pydotorg-www at python.org > > https://mail.python.org/mailman/listinfo/pydotorg-www > > -------------- next part -------------- An HTML attachment was scrubbed... URL: