From owner-cvs-all@FreeBSD.ORG Sat Nov 12 21:03:39 2005 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C0F316A41F; Sat, 12 Nov 2005 21:03:39 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0CC743D46; Sat, 12 Nov 2005 21:03:37 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5DF42.dip.t-dialin.net [84.165.223.66]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id jACKe8Ek025269; Sat, 12 Nov 2005 21:40:09 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id jACL38kM058225; Sat, 12 Nov 2005 22:03:08 +0100 (CET) (envelope-from Alexander@Leidinger.net) Date: Sat, 12 Nov 2005 22:03:08 +0100 From: Alexander Leidinger To: "M. Warner Losh" Message-ID: <20051112220308.27815e5a@Magellan.Leidinger.net> In-Reply-To: <20051112.103529.123972777.imp@bsdimp.com> References: <20051112141152.GT94004@submonkey.net> <1131813973.52725.36.camel@localhost> <20051112172425.GU94004@submonkey.net> <20051112.103529.123972777.imp@bsdimp.com> X-Mailer: Sylpheed-Claws 1.9.100 (GTK+ 2.8.6; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Cc: doc-committers@freebsd.org, ceri@submonkey.net, pav@freebsd.org, cvs-all@freebsd.org, cvs-doc@freebsd.org Subject: Re: cvs commit: www/en/cgi Makefile query-pr.cgi querypr-code.cgi X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2005 21:03:39 -0000 On Sat, 12 Nov 2005 10:35:29 -0700 (MST) "M. Warner Losh" wrote: > I've had a couple of private suggestions sent to me. > > The first is to create a raw-query-pr.cgi that will just serve up one > PR in raw format with no links to this page. > > The second is to add another parameter to query-pr that changes > quarterly. pass=bluestarts this quarter, pass=yellowdiamons next, etc > (well, we wouldn't use the ingrediants to lucky charms as a > password). This level of security is the same that exist on certain > invitation only IRC channels that are out there. Someone has to tell > you the password, and the password changes from time to time. Since > developer mail is project confidencial, I would guess it would be > sufficient to email the new password once a quarter. > > The ugly alternative is to have a 'members only' section of the > website where you have to login. In that section, we could also give > the full names. However, this suffers from the inability to easily > use with 'fetch'. > > The forth alternative is those goofy 'tell me what's in this box' > schemes. Prove you are a human. This sounds more burdonsome than > logging into freefall to do the query-pr, which is Kris' main > objection to the new change. Those, and specially the one we use, are too easy to circumvent. There's somewhere a page (maybe available on the links section on my homepage or still as a "add me to the links section"-mail somewhere in my inbox...) which dissects a lot of those schemes and also provides code how to circumvent them. With the current scheme in place we also can just render the email address as a picture. It provides the same protection and also has the same drawbacks for a committer. A better alternative would be to obfuscate the address, e.g. replacing the "@" with an "at" or with a space or an ampersand or a percent sign or whatever (even randomizing the replacement would be possible). And replacing dots with something else. This would result in at least the same computational complexity for address-harvesters and it would allow to just cut and paste the addresses. It gives the additional benefit that sites such as freshports (or our/foreign mail archives) provide the same obfuscation without any further work. Bye, Alexander. -- Speak softly and carry a cellular phone. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7