in reply to Re^5: Everything2 github repository and being of value to perlmonks (security of obscurity)
in thread Everything2 github repository and being of value to perlmonks

Tye,

What I'd like to propose is that we are "in this together". I'm now the owner of E2, so I share real financial liability with any security holes that ecore code in general might possess, plus we are going to share the same classes of problems. I'm actively developing engine improvements, including security, and I'm hoping that you can benefit from my work. For my end, I could use the extra hand in making things work and reviewing changes that go in; my site is writers, not coders.

My proposal for the path forward looks like this: I'm about to sign up at github for a recurring private repository setup because I don't want to be in the business of providing and maintaining my source control infrastructure, and I need at least one private repository for my configuration information. I need more than one contributor for my primary team, so it's only a $5/mo jump to a 10 collaborator plan with 20 repositories.

We can work out a trusted team from your group to go through things in the private repos and really prep them (with the ecore tools), and design a path forward to get to a place where you feel comfortable that the code is secure. Ideally we can find a way to merge the two engine bases again and move forward from there.

I'm hoping to reduce barriers to contribution by reducing the difficulty for development by pre-packaging the environment with Vagrant, hopefully by sharing the same chef recipes as production, only pared down

Lastly, by trolling the logs, do you mean checking the everything.errlog (or its equivalent), and making sure that errors are squashed?

Let me know how you feel about it, either here or over email.


    --jaybonci
  • Comment on Re^6: Everything2 github repository and being of value to perlmonks (security of obscurity)

Replies are listed 'Best First'.
Re^7: Everything2 github repository and being of value to perlmonks (security of obscurity)
by tye (Sage) on Mar 08, 2012 at 02:48 UTC

    That all sounds good.

    Yes, I meant everything.errlog, but I was talking about trolling for something more specific. Long, long ago when I implemented a whitelist of DB columns that can be automatically modified because I find the blacklist approach hopelessly prone to security problems, I didn't actually switch to the whitelist code. But I did make it log whenever something was set via that mechanism so I could later use the log to find things that should be whitelisted (or be set by specific code instead) so switching to the whitelist would not break some important but infrequently used feature.

    - tye        

[reply]

      Cool. A few questions for you then:

      • Do you already have an existing github account?
      • Who do you envision having access to this code in the beginning?
      • Do you want to get me the code, or put it in yourself once everything is created? If so, you can email me the tarball of Everything*
      • Would you trust me with a schema-only mysqldump (including procedures, if any) of the DB so I can make sure the tool looks right?
      • I assume you are on a semi-modern mysql, but if you wouldn't mind letting me know the version privately, that'd be great.
      With those two things we can morph ecoretool a bit so that we can get a sanitized xml dump into source control and work from there, and once you guys are caught up a bit, we can discuss how to make mutual, sane changes to go forward with both sites.


          --jaybonci
[reply]

In Section Inner Scriptorium