Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Nov 2005 22:03:08 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        "M. Warner Losh" <imp@bsdimp.com>
Cc:        doc-committers@freebsd.org, ceri@submonkey.net, pav@freebsd.org, cvs-all@freebsd.org, cvs-doc@freebsd.org
Subject:   Re: cvs commit: www/en/cgi Makefile query-pr.cgi querypr-code.cgi
Message-ID:  <20051112220308.27815e5a@Magellan.Leidinger.net>
In-Reply-To: <20051112.103529.123972777.imp@bsdimp.com>
References:  <20051112141152.GT94004@submonkey.net> <1131813973.52725.36.camel@localhost> <20051112172425.GU94004@submonkey.net> <20051112.103529.123972777.imp@bsdimp.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Nov 2005 10:35:29 -0700 (MST)
"M. Warner Losh" <imp@bsdimp.com> wrote:

> I've had a couple of private suggestions sent to me.
> 
> The first is to create a raw-query-pr.cgi that will just serve up one
> PR in raw format with no links to this page.
> 
> The second is to add another parameter to query-pr that changes
> quarterly.  pass=bluestarts this quarter, pass=yellowdiamons next, etc
> (well, we wouldn't use the ingrediants to lucky charms as a
> password).  This level of security is the same that exist on certain
> invitation only IRC channels that are out there.  Someone has to tell
> you the password, and the password changes from time to time.  Since
> developer mail is project confidencial, I would guess it would be
> sufficient to email the new password once a quarter.
> 
> The ugly alternative is to have a 'members only' section of the
> website where you have to login.  In that section, we could also give
> the full names.  However, this suffers from the inability to easily
> use with 'fetch'.
> 
> The forth alternative is those goofy 'tell me what's in this box'
> schemes.  Prove you are a human.  This sounds more burdonsome than
> logging into freefall to do the query-pr, which is Kris' main
> objection to the new change.

Those, and specially the one we use, are too easy to circumvent. There's
somewhere a page (maybe available on the links section on my homepage
or still as a "add me to the links section"-mail somewhere in my
inbox...) which dissects a lot of those schemes and also provides code
how to circumvent them.

With the current scheme in place we also can just render the email
address as a picture. It provides the same protection and also has the
same drawbacks for a committer.

A better alternative would be to obfuscate the address, e.g. replacing
the "@" with an "at" or with a space or an ampersand or a percent sign
or whatever (even randomizing the replacement would be possible). And
replacing dots with something else.

This would result in at least the same computational complexity for
address-harvesters and it would allow to just cut and paste the
addresses. It gives the additional benefit that sites such as
freshports (or our/foreign mail archives) provide the same obfuscation
without any further work.

Bye,
Alexander.

-- 
               Speak softly and carry a cellular phone.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051112220308.27815e5a>