Date: Sat, 12 Nov 2005 22:03:08 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: "M. Warner Losh" <imp@bsdimp.com> Cc: doc-committers@freebsd.org, ceri@submonkey.net, pav@freebsd.org, cvs-all@freebsd.org, cvs-doc@freebsd.org Subject: Re: cvs commit: www/en/cgi Makefile query-pr.cgi querypr-code.cgi Message-ID: <20051112220308.27815e5a@Magellan.Leidinger.net> In-Reply-To: <20051112.103529.123972777.imp@bsdimp.com> References: <20051112141152.GT94004@submonkey.net> <1131813973.52725.36.camel@localhost> <20051112172425.GU94004@submonkey.net> <20051112.103529.123972777.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Nov 2005 10:35:29 -0700 (MST)
"M. Warner Losh" <imp@bsdimp.com> wrote:
> I've had a couple of private suggestions sent to me.
>
> The first is to create a raw-query-pr.cgi that will just serve up one
> PR in raw format with no links to this page.
>
> The second is to add another parameter to query-pr that changes
> quarterly. pass=bluestarts this quarter, pass=yellowdiamons next, etc
> (well, we wouldn't use the ingrediants to lucky charms as a
> password). This level of security is the same that exist on certain
> invitation only IRC channels that are out there. Someone has to tell
> you the password, and the password changes from time to time. Since
> developer mail is project confidencial, I would guess it would be
> sufficient to email the new password once a quarter.
>
> The ugly alternative is to have a 'members only' section of the
> website where you have to login. In that section, we could also give
> the full names. However, this suffers from the inability to easily
> use with 'fetch'.
>
> The forth alternative is those goofy 'tell me what's in this box'
> schemes. Prove you are a human. This sounds more burdonsome than
> logging into freefall to do the query-pr, which is Kris' main
> objection to the new change.
Those, and specially the one we use, are too easy to circumvent. There's
somewhere a page (maybe available on the links section on my homepage
or still as a "add me to the links section"-mail somewhere in my
inbox...) which dissects a lot of those schemes and also provides code
how to circumvent them.
With the current scheme in place we also can just render the email
address as a picture. It provides the same protection and also has the
same drawbacks for a committer.
A better alternative would be to obfuscate the address, e.g. replacing
the "@" with an "at" or with a space or an ampersand or a percent sign
or whatever (even randomizing the replacement would be possible). And
replacing dots with something else.
This would result in at least the same computational complexity for
address-harvesters and it would allow to just cut and paste the
addresses. It gives the additional benefit that sites such as
freshports (or our/foreign mail archives) provide the same obfuscation
without any further work.
Bye,
Alexander.
--
Speak softly and carry a cellular phone.
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051112220308.27815e5a>