Date: Sat, 12 Nov 2005 22:03:08 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: "M. Warner Losh" <imp@bsdimp.com> Cc: doc-committers@freebsd.org, ceri@submonkey.net, pav@freebsd.org, cvs-all@freebsd.org, cvs-doc@freebsd.org Subject: Re: cvs commit: www/en/cgi Makefile query-pr.cgi querypr-code.cgi Message-ID: <20051112220308.27815e5a@Magellan.Leidinger.net> In-Reply-To: <20051112.103529.123972777.imp@bsdimp.com> References: <20051112141152.GT94004@submonkey.net> <1131813973.52725.36.camel@localhost> <20051112172425.GU94004@submonkey.net> <20051112.103529.123972777.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Nov 2005 10:35:29 -0700 (MST) "M. Warner Losh" <imp@bsdimp.com> wrote: > I've had a couple of private suggestions sent to me. > > The first is to create a raw-query-pr.cgi that will just serve up one > PR in raw format with no links to this page. > > The second is to add another parameter to query-pr that changes > quarterly. pass=bluestarts this quarter, pass=yellowdiamons next, etc > (well, we wouldn't use the ingrediants to lucky charms as a > password). This level of security is the same that exist on certain > invitation only IRC channels that are out there. Someone has to tell > you the password, and the password changes from time to time. Since > developer mail is project confidencial, I would guess it would be > sufficient to email the new password once a quarter. > > The ugly alternative is to have a 'members only' section of the > website where you have to login. In that section, we could also give > the full names. However, this suffers from the inability to easily > use with 'fetch'. > > The forth alternative is those goofy 'tell me what's in this box' > schemes. Prove you are a human. This sounds more burdonsome than > logging into freefall to do the query-pr, which is Kris' main > objection to the new change. Those, and specially the one we use, are too easy to circumvent. There's somewhere a page (maybe available on the links section on my homepage or still as a "add me to the links section"-mail somewhere in my inbox...) which dissects a lot of those schemes and also provides code how to circumvent them. With the current scheme in place we also can just render the email address as a picture. It provides the same protection and also has the same drawbacks for a committer. A better alternative would be to obfuscate the address, e.g. replacing the "@" with an "at" or with a space or an ampersand or a percent sign or whatever (even randomizing the replacement would be possible). And replacing dots with something else. This would result in at least the same computational complexity for address-harvesters and it would allow to just cut and paste the addresses. It gives the additional benefit that sites such as freshports (or our/foreign mail archives) provide the same obfuscation without any further work. Bye, Alexander. -- Speak softly and carry a cellular phone. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051112220308.27815e5a>