I don't mind the idea of scraping out the code. Such should be careful to wait as long between requests as the last request took so that the scraper automatically slows down if the site becomes bogged down.

I have been personally against making the source code too widely available because the security design is far from stellar and we have had real instances of people getting access to the source code and then using such information to construct attacks against the site.

The counter argument would be that "surely, making the code widely available would greatly increase the speed with which security problems can be noticed and addressed". Unfortunately, my experience is that giving somebody access to the PerlMonks code has a roughly zero percent chance of them contributing anything to said code.

Surely, some of the reason for such poor historical return on providing access is due to the quirky (at least!) manner in which the code can be viewed and the significant impediments to contribution. And certainly some of those would/might be addressed by the proposed new method of dissemination.

But I think there would still be significant impediments to effectively understanding the code and I don't yet see any clear route to this providing significant improvements to effective contribution.

So my personal assessment is that the likely result would be increased risk to the site.

However, there has been no effective progress on, for example, creating a "tinkers" group so I find it hard to justify blocking a potential improvement in maintainability given the pronounced stall in the status quo.

I'd welcome other opinions, particularly on my security concerns... especially from people who actually have a good clue about the security risks of PerlMonks (rare as such people probably are).

But I think things have dragged on long enough that I would not block such a scheme. I'll just stand by my prediction (which I hope will be proven wrong) on the down side and resign myself to "I told you so" if it comes to that.

Doing the work to troll the logs for missed exceptions and then actually implementing the "white list" (to replace the "black list") before such a release would make me feel much better about it.

- tye        

In reply to Re^5: Everything2 github repository and being of value to perlmonks (security of obscurity) by tye
in thread Everything2 github repository and being of value to perlmonks by JayBonci

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.