Current state of Debian efforts with Moin
Hey folks, As promised in irc a few days ago... We're still using 1.9.9 with a few local patches - see https://salsa.debian.org/debian/moin/tree/master/debian/patches for the full set. I've just added one new patch that's not yet released in Debian, adding support for proper netmasks when adding IP blocks - see netaddr_hosts_deny.patch. I've got two more issues that could do with fixes: * We have a large list of blocked addresses to deal with spam. We'd like to split that into two: + addresses allowed to read the wiki, but not make changes nor sign up for accounts + addresses totally blocked (the current behaviour) We have a lot of users complaining that they're blocked, particularly if they're using commercial VPN providers who can't/won't do anything about spammers. I'm hoping to work on this soon, but I've got a long TODO list on other Debian-related projects too. * A check of the licensing in Moin showed up two sets of images where licensing is not as clear as we'd like: MoinMoin/web/static/htdocs/classic/img/idea.png MoinMoin/web/static/htdocs/classic/img/redface.png MoinMoin/web/static/htdocs/classic/img/sad.png MoinMoin/web/static/htdocs/classic/img/smile.png MoinMoin/web/static/htdocs/classic/img/smile2.png MoinMoin/web/static/htdocs/classic/img/smile3.png MoinMoin/web/static/htdocs/modern/img/idea.png MoinMoin/web/static/htdocs/modern/img/redface.png MoinMoin/web/static/htdocs/modern/img/sad.png MoinMoin/web/static/htdocs/modern/img/smile.png MoinMoin/web/static/htdocs/modern/img/smile2.png MoinMoin/web/static/htdocs/modern/img/smile3.png MoinMoin/web/static/htdocs/rightsidebar/img/idea.png MoinMoin/web/static/htdocs/rightsidebar/img/redface.png MoinMoin/web/static/htdocs/rightsidebar/img/sad.png MoinMoin/web/static/htdocs/rightsidebar/img/smile.png MoinMoin/web/static/htdocs/rightsidebar/img/smile2.png MoinMoin/web/static/htdocs/rightsidebar/img/smile3.png These all contain text saying Copyright: 1999, Philipp Esselbach <ple@gmx.net> but there's no mention of him or a license grant anywhere I can find. MoinMoin/web/static/htdocs/classic/img/moin-new.png MoinMoin/web/static/htdocs/modern/img/moin-new.png MoinMoin/web/static/htdocs/rightsidebar/img/moin-new.png Thses all say: Copyright: 1996, Leo Doerr <http://www.silverpoint.com/> but there's no mention of him or a license grant anywhere I can find. There's also a range of bug reports in the Debian BTS: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=moin Most aren't too important IMHO, but others may find them interesting. -- Steve McIntyre, Cambridge, UK. steve@einval.com "... the premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." -- Bruce Schneier ----- End forwarded message ----- -- Steve McIntyre, Cambridge, UK. steve@einval.com Into the distance, a ribbon of black Stretched to the point of no turning back
https://salsa.debian.org/debian/moin/tree/master/debian/patches
Have gone through them (again) and the current state is like that:
fix_wrong_digestmod_of_hmac.new_calls.patch
Patch from download page (I guess), fixed in git already.
fix_rss.patch Fix rss_rc action to stop crashes
I opened github issue, please add more details there: https://github.com/moinwiki/moin-1.9/issues/25
incremental-dump.patch implement an incremental dump process Implement an incremental dump process. This also fixes dumping of the attachments. This also allows the dump script to be interrupted.
Sounds useful, but for 1.9.10 guess I'ld prefer a bug report about what is broken with the attachments and a fix-only pull request that fixes just that.
disable_gui_editor_if_fckeditor_missing.patch hardcode_configdir.patch htdocs_moved_to_usr_share_moin.patch use_systemwide_libs.patch
Dist packaging specific, not needed upstream.
remove_favicon.patch
Cosmetic.
external_account_creation_check.patch mail-verification.patch netaddr_hosts_deny.patch recaptcha.patch
Lots of efforts on spam fighting. We need to fight spam bots, but the problem is that (AFAIK) they have already worked around all these mechanisms. I'll write a separate mail about my recent attempts on spam fighting.
* A check of the licensing in Moin showed up two sets of images where licensing is not as clear as we'd like:
Ugh. Well, I guess this is rather a documentation issue than a licensing issue as IIRC we never have used anything we are not permitted to use. But I also can't remember the details about these 7 icons. Guess we have them since > 10 years. (the list is longer than 7 because they were copied into multiple themes)
There's also a range of bug reports in the Debian BTS:
https://github.com/moinwiki/moin-1.9/issues/26 -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
Much belated response, sorry... :-( On Mon, Aug 20, 2018 at 02:54:37PM +0200, Thomas Waldmann wrote:
https://salsa.debian.org/debian/moin/tree/master/debian/patches
Have gone through them (again) and the current state is like that:
fix_wrong_digestmod_of_hmac.new_calls.patch
Patch from download page (I guess), fixed in git already.
Yup, that's where we picked it up from.
fix_rss.patch Fix rss_rc action to stop crashes
I opened github issue, please add more details there:
Sorry, responding here instead. I closed my github account when they were bought out by Microsoft. :-( On wiki.debian.org we saw lots of errors, as shown in https://bugs.debian.org/787583 looking like mod_wsgi (pid=1755): Exception occurred processing WSGI script '/srv/wiki.debian.org/bin/moin.wsgi'. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/werkzeug/wsgi.py", line 588, in __call__ return self.app(environ, start_response) File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 264, in __call__ response = run(context) File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 89, in run response = dispatch(request, context, action_name) File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 137, in dispatch response = handle_action(context, pagename, action_name) File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 203, in handle_action handler(context.page.page_name, context) File "/usr/lib/python2.7/dist-packages/MoinMoin/action/rss_rc.py", line 178, in execute handler._write( AttributeError: RssGenerator instance has no attribute '_write' This simple patch made the noise stop. I'll admit we've not looked at this in a while...
incremental-dump.patch implement an incremental dump process Implement an incremental dump process. This also fixes dumping of the attachments. This also allows the dump script to be interrupted.
Sounds useful, but for 1.9.10 guess I'ld prefer a bug report about what is broken with the attachments and a fix-only pull request that fixes just that.
disable_gui_editor_if_fckeditor_missing.patch hardcode_configdir.patch htdocs_moved_to_usr_share_moin.patch use_systemwide_libs.patch
Dist packaging specific, not needed upstream.
ACK.
remove_favicon.patch
Cosmetic.
But it's something that affects privacy. We've got a policy of removing remote resources like favicons from Debian packages where possible.
external_account_creation_check.patch mail-verification.patch netaddr_hosts_deny.patch recaptcha.patch
Lots of efforts on spam fighting.
We need to fight spam bots, but the problem is that (AFAIK) they have already worked around all these mechanisms.
They're part of a defence-in-depth approach for us. recaptcha is not all that useful for us now, but the others help: * We verify emails, so we have email addresses attached to accounts at least. * Next, we call out to an external script to validate account creation. That script uses a lot of heuristics to determine how spammy a new account signup attempt is, and has the power to blacklist IP addresses etc. We analyze the logs from that script to see what's going on and potentially block wider blocks of addresses. * The netaddr_hosts_deny patch is something I've just developed and we haven't yet deployed it. The existing code to simply match using startswith is very limited...
I'll write a separate mail about my recent attempts on spam fighting.
ACK, saw that - I'll respond to that too.
* A check of the licensing in Moin showed up two sets of images where licensing is not as clear as we'd like:
Ugh. Well, I guess this is rather a documentation issue than a licensing issue as IIRC we never have used anything we are not permitted to use.
But I also can't remember the details about these 7 icons. Guess we have them since > 10 years.
Right. We're developing better and better QA tools in Debian - they picked up on these files which have been around for a very long time. Do you know where they came from, and who committed them? I've tried to contact the people involved from the embedded information, with no response.
(the list is longer than 7 because they were copied into multiple themes)
Nod.
There's also a range of bug reports in the Debian BTS:
ACK. :-) -- Steve McIntyre, Cambridge, UK. steve@einval.com "I used to be the first kid on the block wanting a cranial implant, now I want to be the first with a cranial firewall. " -- Charlie Stross
participants (2)
-
Steve McIntyre -
Thomas Waldmann