[moin-devel] Current state of Debian efforts with Moin

Steve McIntyre steve at einval.com
Thu Oct 18 13:05:41 EDT 2018 

Much belated response, sorry... :-(

On Mon, Aug 20, 2018 at 02:54:37PM +0200, Thomas Waldmann wrote:
>
>>   https://salsa.debian.org/debian/moin/tree/master/debian/patches
>
>Have gone through them (again) and the current state is like that:
>
>> fix_wrong_digestmod_of_hmac.new_calls.patch
>
>Patch from download page (I guess), fixed in git already.

Yup, that's where we picked it up from.

>> fix_rss.patch 	Fix rss_rc action to stop crashes
>
>I opened github issue, please add more details there:
>
>https://github.com/moinwiki/moin-1.9/issues/25

Sorry, responding here instead. I closed my github account when they
were bought out by Microsoft. :-(

On wiki.debian.org we saw lots of errors, as shown in

  https://bugs.debian.org/787583

looking like

mod_wsgi (pid=1755): Exception occurred processing WSGI script '/srv/wiki.debian.org/bin/moin.wsgi'.
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/werkzeug/wsgi.py", line 588, in __call__
    return self.app(environ, start_response)
  File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 264, in __call__
    response = run(context)
  File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 89, in run
    response = dispatch(request, context, action_name)
  File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 137, in dispatch
    response = handle_action(context, pagename, action_name)
  File "/usr/lib/python2.7/dist-packages/MoinMoin/wsgiapp.py", line 203, in handle_action
    handler(context.page.page_name, context)
  File "/usr/lib/python2.7/dist-packages/MoinMoin/action/rss_rc.py", line 178, in execute
    handler._write(
AttributeError: RssGenerator instance has no attribute '_write'

This simple patch made the noise stop. I'll admit we've not looked at
this in a while...

>> incremental-dump.patch implement an incremental dump process
>> Implement an incremental dump process.
>> This also fixes dumping of the attachments.
>> This also allows the dump script to be interrupted.
>
>Sounds useful, but for 1.9.10 guess I'ld prefer a bug report about what
>is broken with the attachments and a fix-only pull request that fixes
>just that.
>
>
>> disable_gui_editor_if_fckeditor_missing.patch
>> hardcode_configdir.patch
>> htdocs_moved_to_usr_share_moin.patch
>> use_systemwide_libs.patch
>
>Dist packaging specific, not needed upstream.

ACK.

>> remove_favicon.patch
>
>Cosmetic.

But it's something that affects privacy. We've got a policy of
removing remote resources like favicons from Debian packages where
possible.

>> external_account_creation_check.patch
>> mail-verification.patch
>> netaddr_hosts_deny.patch
>> recaptcha.patch
>
>Lots of efforts on spam fighting.
>
>We need to fight spam bots, but the problem is that (AFAIK) they have
>already worked around all these mechanisms.

They're part of a defence-in-depth approach for us. recaptcha is not
all that useful for us now, but the others help:

 * We verify emails, so we have email addresses attached to accounts
   at least.

 * Next, we call out to an external script to validate account
   creation. That script uses a lot of heuristics to determine how
   spammy a new account signup attempt is, and has the power to
   blacklist IP addresses etc. We analyze the logs from that script to
   see what's going on and potentially block wider blocks of
   addresses.

 * The netaddr_hosts_deny patch is something I've just developed and
   we haven't yet deployed it. The existing code to simply match using
   startswith is very limited...

>I'll write a separate mail about my recent attempts on spam fighting.

ACK, saw that - I'll respond to that too.

>>  * A check of the licensing in Moin showed up two sets of images where
>>    licensing is not as clear as we'd like:
>
>Ugh. Well, I guess this is rather a documentation issue than a licensing
>issue as IIRC we never have used anything we are not permitted to use.
>
>But I also can't remember the details about these 7 icons. Guess we have
>them since > 10 years.

Right. We're developing better and better QA tools in Debian - they
picked up on these files which have been around for a very long
time. Do you know where they came from, and who committed them? I've
tried to contact the people involved from the embedded information,
with no response.

>(the list is longer than 7 because they were copied into multiple themes)

Nod.

>
>> There's also a range of bug reports in the Debian BTS:
>> 
>>   https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=moin
>
>https://github.com/moinwiki/moin-1.9/issues/26

ACK. :-)

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
"I used to be the first kid on the block wanting a cranial implant,
 now I want to be the first with a cranial firewall. " -- Charlie Stross

More information about the moin-devel mailing list