Hey all,
There's an open ticket here:
https://hosted.fedoraproject.org/fedora-infrastructure/ticket/178
for a news.fedoraproject.org site but unfortunately it's not been updated in the past 4 months. Does anybody have any news on what's happening with it, and if not, would anybody mind if I picked it up?
I'm not an expert but willing to learn, and if somebody a bit more knowledgable than me was willing to give me a bit of help from time to time I think we can get this done. I think it's quite an important piece to get in place, as there's more and more content I'm wanting to put out from a marketing perspective and this would be the perfect target location.
Oh, and do tell me if this is the wrong list!
Best wishes,
Jon
On Mon, 18 Feb 2008, Jonathan Roberts wrote:
Hey all,
There's an open ticket here:
https://hosted.fedoraproject.org/fedora-infrastructure/ticket/178
for a news.fedoraproject.org site but unfortunately it's not been updated in the past 4 months. Does anybody have any news on what's happening with it, and if not, would anybody mind if I picked it up?
I'm not an expert but willing to learn, and if somebody a bit more knowledgable than me was willing to give me a bit of help from time to time I think we can get this done. I think it's quite an important piece to get in place, as there's more and more content I'm wanting to put out from a marketing perspective and this would be the perfect target location.
Oh, and do tell me if this is the wrong list!
Its just waiting for a leader from the news site to take the project over. I'd highly suggest looking to see if wordpress can do what you want it to as it looks like we'll be deploying it elsewhere in our infrastructure. It'd make deployment much quicker and easier on your part.
-Mike
Its just waiting for a leader from the news site to take the project over. I'd highly suggest looking to see if wordpress can do what you want it to as it looks like we'll be deploying it elsewhere in our infrastructure.
I've just taken a quick glance at wordpress and it looks like it will more than likely do the job, two points that I'm not so sure about though:
* seperate rss feed for upcoming events * allowing anyone to submit a story for editors approval
To me these two seem fairly minor and can probably be worked around through clever work flows...based on that I'm happy for wordpress to be used but I guess should check with the news/marketing teams.
I'm happy to pick this up and lead it but I think should run past rest of news/marketing first. Definitely think it's something we want doing as soon as we can :)
Best wishes,
Jon
It'd make deployment much quicker and easier on your part.
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
On Mon, 18 Feb 2008, Jonathan Roberts wrote:
Its just waiting for a leader from the news site to take the project over. I'd highly suggest looking to see if wordpress can do what you want it to as it looks like we'll be deploying it elsewhere in our infrastructure.
I've just taken a quick glance at wordpress and it looks like it will more than likely do the job, two points that I'm not so sure about though:
- seperate rss feed for upcoming events
- allowing anyone to submit a story for editors approval
To me these two seem fairly minor and can probably be worked around through clever work flows...based on that I'm happy for wordpress to be used but I guess should check with the news/marketing teams.
I'm happy to pick this up and lead it but I think should run past rest of news/marketing first. Definitely think it's something we want doing as soon as we can :)
Just to be clear, we certainly don't *have* to pick wordpress for news, but it would make things easier on the Infrastructure team and ultimately, probably easier on you guys if it'd work.
-Mike
Just to be clear, we certainly don't *have* to pick wordpress for news, but it would make things easier on the Infrastructure team and ultimately, probably easier on you guys if it'd work.
Hey,
I've been in touch with the Marketing and News lists...it looks like Wordpress could cover our basic needs. Where do we take it from here? A test instance would be good to have.
Jon
Hi Jon, I talked to mmcgrath and iwolf this morning on irc, we found an existing ticket[1] for this idea. If the parties involved on the marketing/news sides could look it over and make sure it accurate as far as needs/goals then the infrastructure folks can see about making it happen. :)
-Jason
[1] https://fedorahosted.org/fedora-infrastructure/ticket/178
On Wed, 2008-02-20 at 13:59 +0000, Jonathan Roberts wrote:
Just to be clear, we certainly don't *have* to pick wordpress for news, but it would make things easier on the Infrastructure team and ultimately, probably easier on you guys if it'd work.
Hey,
I've been in touch with the Marketing and News lists...it looks like Wordpress could cover our basic needs. Where do we take it from here? A test instance would be good to have.
Jon
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Jason wrote:
Hi Jon, I talked to mmcgrath and iwolf this morning on irc, we found an existing ticket[1] for this idea. If the parties involved on the marketing/news sides could look it over and make sure it accurate as far as needs/goals then the infrastructure folks can see about making it happen. :)
-Jason
[1] https://fedorahosted.org/fedora-infrastructure/ticket/178
Yes. I filed this ticket and I have already talked to the news and marketing teams.
Rahul
On Wed, Feb 20, 2008 at 9:53 AM, Rahul Sundaram sundaram@fedoraproject.org wrote:
Jason wrote:
Hi Jon, I talked to mmcgrath and iwolf this morning on irc, we found an existing ticket[1] for this idea. If the parties involved on the marketing/news sides could look it over and make sure it accurate as far as needs/goals then the infrastructure folks can see about making it happen. :)
[1] https://fedorahosted.org/fedora-infrastructure/ticket/178
Yes. I filed this ticket and I have already talked to the news and marketing teams.
The ticket needs updated to reflect the recent discussion that Word Press would most likely be a workable alternative to the Drupal setup being discussed towards the end of the ticket. Everyone might not be following the email thread, so having the updated, correct information in the ticket is more useful to the Infrastructure team.
Thanks, ~Jeffrey
Jeffrey Tadlock wrote:
The ticket needs updated to reflect the recent discussion that Word Press would most likely be a workable alternative to the Drupal setup being discussed towards the end of the ticket. Everyone might not be following the email thread, so having the updated, correct information in the ticket is more useful to the Infrastructure team.
Well in this case, the suggestion of wordpress actually comes from the infrastructure team. Any software that meets the requirements listed is ok. Be it wordpress or drupal or something else.
Rahul
On 20/02/2008, Rahul Sundaram sundaram@fedoraproject.org wrote:
Jeffrey Tadlock wrote:
The ticket needs updated to reflect the recent discussion that Word Press would most likely be a workable alternative to the Drupal setup being discussed towards the end of the ticket. Everyone might not be following the email thread, so having the updated, correct information in the ticket is more useful to the Infrastructure team.
Well in this case, the suggestion of wordpress actually comes from the infrastructure team. Any software that meets the requirements listed is ok. Be it wordpress or drupal or something else.
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Jon
On Wed, Feb 20, 2008 at 10:41 AM, Jonathan Roberts jonathan.roberts.uk@googlemail.com wrote:
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Your FAS account should let you login and add a comment to the ticket [1].
Thanks! ~Jeffrey
On 20/02/2008, Jeffrey Tadlock linux@elfshadow.net wrote:
On Wed, Feb 20, 2008 at 10:41 AM, Jonathan Roberts jonathan.roberts.uk@googlemail.com wrote:
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Your FAS account should let you login and add a comment to the ticket [1].
Doesn't seem to be working!? Am I doing something wrong!?
Used the login link in the upper right...entered my FAS information (which I checked by logging in directly on FAS too) and just get the password prompt reappearing again and again :(
Best wishes,
Jon
Thanks! ~Jeffrey
[1] http://fedoraproject.org/wiki/Infrastructure/Tickets
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
On 2008-02-20 04:20:45 PM, Jonathan Roberts wrote:
On 20/02/2008, Jeffrey Tadlock linux@elfshadow.net wrote:
On Wed, Feb 20, 2008 at 10:41 AM, Jonathan Roberts jonathan.roberts.uk@googlemail.com wrote:
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Your FAS account should let you login and add a comment to the ticket [1].
Doesn't seem to be working!? Am I doing something wrong!?
Used the login link in the upper right...entered my FAS information (which I checked by logging in directly on FAS too) and just get the password prompt reappearing again and again :(
I think you might have used a different case when entering your username. Try using jonrob instead of JonRob.
Thanks, Ricky
On Wed, 20 Feb 2008, Jonathan Roberts wrote:
On 20/02/2008, Jeffrey Tadlock linux@elfshadow.net wrote:
On Wed, Feb 20, 2008 at 10:41 AM, Jonathan Roberts jonathan.roberts.uk@googlemail.com wrote:
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Your FAS account should let you login and add a comment to the ticket [1].
Doesn't seem to be working!? Am I doing something wrong!?
Used the login link in the upper right...entered my FAS information (which I checked by logging in directly on FAS too) and just get the password prompt reappearing again and again :(
Best wishes,
When the time comes anyone in sysadmin-web can help you get the wordpress instance setup, we actually have one on publictest1 right now that Frank Chiulli has been testing with. You two should meet up.
-Mike
When the time comes anyone in sysadmin-web can help you get the wordpress instance setup, we actually have one on publictest1 right now that Frank Chiulli has been testing with. You two should meet up.
OK super - I'm sure I'll be looking for someone in sysadmin-web soon enough - i hope!
Jon
On Wed, Feb 20, 2008 at 12:04 PM, Mike McGrath mmcgrath@redhat.com wrote:
On Wed, 20 Feb 2008, Jonathan Roberts wrote:
On 20/02/2008, Jeffrey Tadlock linux@elfshadow.net wrote:
On Wed, Feb 20, 2008 at 10:41 AM, Jonathan Roberts jonathan.roberts.uk@googlemail.com wrote:
I agree...If we could update the ticket though that would be good - I'd do this myself but don't have an account. Anybody else?
Your FAS account should let you login and add a comment to the ticket [1].
Doesn't seem to be working!? Am I doing something wrong!?
Used the login link in the upper right...entered my FAS information (which I checked by logging in directly on FAS too) and just get the password prompt reappearing again and again :(
Best wishes,
When the time comes anyone in sysadmin-web can help you get the wordpress instance setup, we actually have one on publictest1 right now that Frank Chiulli has been testing with. You two should meet up.
Ok one thing to find out on this.. is what is the security aspects of using wordpress. I am probably not the person to mention this as I partially flamed a Red Hat employee earlier this month about their views on WordPress.. but it would be good to make sure that it isnt going to be a problem security wise.
On Wed, 2008-02-20 at 19:32 -0700, Stephen John Smoogen wrote:
Ok one thing to find out on this.. is what is the security aspects of using wordpress. I am probably not the person to mention this as I partially flamed a Red Hat employee earlier this month about their views on WordPress.. but it would be good to make sure that it isnt going to be a problem security wise.
wordpress is actively maintained and widely used. It has a security track record of all php programs but it also has a good record of quick turn around times for issues.
-sv
On Wed, 20 Feb 2008, seth vidal wrote:
On Wed, 2008-02-20 at 19:32 -0700, Stephen John Smoogen wrote:
Ok one thing to find out on this.. is what is the security aspects of using wordpress. I am probably not the person to mention this as I partially flamed a Red Hat employee earlier this month about their views on WordPress.. but it would be good to make sure that it isnt going to be a problem security wise.
wordpress is actively maintained and widely used. It has a security track record of all php programs but it also has a good record of quick turn around times for issues.
Additionally, mod_security will help is deal with 0day exploits and some other things. I think wordpress has an ok security record but thats by reputation, not research, anyone have a moment to look and post to the list?
-Mike
Additionally, mod_security will help is deal with 0day exploits and some other things. I think wordpress has an ok security record but thats by reputation, not research, anyone have a moment to look and post to the list?
Pending on these security investigations, could somebody drop a message - either here or on the marketing/news lists - that explains the process we need to go through to get this to completion? A link to a relevant doc would be just as good :)
Just so we know where we're heading and can help out where ever infrastructure needs us!
Best wishes,
Jon
On Thu, 21 Feb 2008, Jonathan Roberts wrote:
Additionally, mod_security will help is deal with 0day exploits and some other things. I think wordpress has an ok security record but thats by reputation, not research, anyone have a moment to look and post to the list?
Pending on these security investigations, could somebody drop a message - either here or on the marketing/news lists - that explains the process we need to go through to get this to completion? A link to a relevant doc would be just as good :)
Just so we know where we're heading and can help out where ever infrastructure needs us!
If you've got a moment today stop by #fedora-admin on irc.freenode.net I'll get this setup for you.
-Mike
Mike McGrath wrote:
On Wed, 20 Feb 2008, seth vidal wrote:
On Wed, 2008-02-20 at 19:32 -0700, Stephen John Smoogen wrote:
Ok one thing to find out on this.. is what is the security aspects of using wordpress. I am probably not the person to mention this as I partially flamed a Red Hat employee earlier this month about their views on WordPress.. but it would be good to make sure that it isnt going to be a problem security wise.
wordpress is actively maintained and widely used. It has a security track record of all php programs but it also has a good record of quick turn around times for issues.
Additionally, mod_security will help is deal with 0day exploits and some other things. I think wordpress has an ok security record but thats by reputation, not research, anyone have a moment to look and post to the list?
This is a highly inaccurate measure of security but it's something to look at. I wonder if lkundrak and the security team have a preference for blogging/news software :-)
Number of CVEs listed on http://nvd.nist.gov/nvd.cfm wordpress drupal mediawiki zope plone 2008 30 17 1 0 0 2007 64 37 7 2 1 2006 21 39 4 1 3
These numbers show a big difference between mediawiki and drupal or wordpress. The questions are just how valid the numbers are and whether we're confident that the combination of SELinux (which we will then depend on; no more turning it off if we can't figure out a problem) and mod_security will keep our servers and users of the sites safe from the exploits that will appear.
-Toshio
2008/2/21 Toshio Kuratomi a.badger@gmail.com:
This is a highly inaccurate measure of security but it's something to look at. I wonder if lkundrak and the security team have a preference for blogging/news software :-)
Number of CVEs listed on http://nvd.nist.gov/nvd.cfm wordpress drupal mediawiki zope plone 2008 30 17 1 0 0 2007 64 37 7 2 1 2006 21 39 4 1 3
I looked at WordPress a bit this morning as well. I used the same source as Toshio did, but I think I used a slightly different search than him. I used the Advanced search and set the Product to WordPress. That yielded these numbers:
2008: 13 2007: 42 2006: 16
If you search the vuln database for just wordpress it pulls in a lot of plugins for WordPress that have issues. Even the search I did pulled in results for plugins for WordPress and not just core WordPress components. So I went through 2008 and 2007 to see which results in my search affected core WordPress bits and which were for optional plugins. Those results were:
2008: 7 2007: 36
Several of the hits for those two years had been for things like custom themes someone had provided or guest books or an image gallery.
I also looked briefly at versions affected as well. Just using 2008 as an example, there were still 7 security issues listed for core WordPress components so far. But if you figure you probably shouldn't still be running a 2.0.x version or 2.1.x version of WordPress in 2008 then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.
To be fair, I only looked this closely at WordPress. It is quite likely Drupal's numbers would drop if I looked through those results and made decisions on which affected core bits and which affected plugins to Drupal. Like Toshio already said, this isn't the greatest way to determine the security of an app.
These numbers show a big difference between mediawiki and drupal or wordpress. The questions are just how valid the numbers are and whether we're confident that the combination of SELinux (which we will then depend on; no more turning it off if we can't figure out a problem) and mod_security will keep our servers and users of the sites safe from the exploits that will appear.
With any application we provide we need to consider security. I think SELinux is a valid means to help prevent damage from 0-day flaws as is mod_security. They are tools in the toolkit we can use to help reduce our attack surface. If we do move to PHP based apps, we could also consider looking at suhosin [1] as another tool for the toolbox.
Thanks, Jeffrey
On Thu, 2008-02-21 at 13:13 -0500, Jeffrey Tadlock wrote:
2008/2/21 Toshio Kuratomi a.badger@gmail.com:
This is a highly inaccurate measure of security but it's something to look at. I wonder if lkundrak and the security team have a preference for blogging/news software :-)
Number of CVEs listed on http://nvd.nist.gov/nvd.cfm wordpress drupal mediawiki zope plone 2008 30 17 1 0 0 2007 64 37 7 2 1 2006 21 39 4 1 3
I looked at WordPress a bit this morning as well. I used the same source as Toshio did, but I think I used a slightly different search than him. I used the Advanced search and set the Product to WordPress. That yielded these numbers:
2008: 13 2007: 42 2006: 16
If you search the vuln database for just wordpress it pulls in a lot of plugins for WordPress that have issues. Even the search I did pulled in results for plugins for WordPress and not just core WordPress components. So I went through 2008 and 2007 to see which results in my search affected core WordPress bits and which were for optional plugins. Those results were:
2008: 7 2007: 36
Several of the hits for those two years had been for things like custom themes someone had provided or guest books or an image gallery.
I also looked briefly at versions affected as well. Just using 2008 as an example, there were still 7 security issues listed for core WordPress components so far. But if you figure you probably shouldn't still be running a 2.0.x version or 2.1.x version of WordPress in 2008 then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.
To be fair, I only looked this closely at WordPress. It is quite likely Drupal's numbers would drop if I looked through those results and made decisions on which affected core bits and which affected plugins to Drupal. Like Toshio already said, this isn't the greatest way to determine the security of an app.
These numbers show a big difference between mediawiki and drupal or wordpress. The questions are just how valid the numbers are and whether we're confident that the combination of SELinux (which we will then depend on; no more turning it off if we can't figure out a problem) and mod_security will keep our servers and users of the sites safe from the exploits that will appear.
With any application we provide we need to consider security. I think SELinux is a valid means to help prevent damage from 0-day flaws as is mod_security. They are tools in the toolkit we can use to help reduce our attack surface. If we do move to PHP based apps, we could also consider looking at suhosin [1] as another tool for the toolbox.
Let's not, ever, say we're considering going to php based apps.
I don't mind deploying a few but I'll be damned if I'll ever 'go to php' as a language.
-sv
Jeffrey Tadlock wrote:
2008/2/21 Toshio Kuratomi a.badger@gmail.com:
This is a highly inaccurate measure of security but it's something to look at. I wonder if lkundrak and the security team have a preference for blogging/news software :-)
Number of CVEs listed on http://nvd.nist.gov/nvd.cfm wordpress drupal mediawiki zope plone 2008 30 17 1 0 0 2007 64 37 7 2 1 2006 21 39 4 1 3
I looked at WordPress a bit this morning as well. I used the same source as Toshio did, but I think I used a slightly different search than him. I used the Advanced search and set the Product to WordPress. That yielded these numbers:
2008: 13 2007: 42 2006: 16
Thanks for doing a better search than I did! I'm not sure that your numbers are any more meaningful than mine, though, as what we need to do is establish how much vulnerability we'll incur if we use a certain tool. So, to narrow it down like you want to do, we need to find out how many CVE's affect the core + plugins that we'll be using (which seems like it's not going to be a static list until something gets deployed... and probably not even then.)
For instance, wordpress was being looked at in part because we may have some responsibility for Fedora.tv in the future (which is a wordpress platform with parts implemented via plugin). Someone wanted to host polls so we started looking at a plugin to do so. Once we get this up and running, the inclination to use the platform for more things will come about as well. Did you say it has gallery plugins? Well, the art team has wanted to host some sort of gallery for quite a while. The uses we put this to is just going to grow.
So knowing that plugins are vulnerable to attack could be very relevant to the discussion at hand. Perhaps some web platform's architectures sandbox plugins so that an exploit in their code is not as dangerous to the system as a whole. Perhaps some systems make it their responsibility to filter all data coming in and all data going out with the plugins sitting behind that layer. Perhaps some developer communities (I'm including the plugin authors here) are more concerned about coding in a secure manner than others. Perhaps some projects are proactive about potential security holes while others are reactive.
Looking at numbers of raw CVEs is a very coarse way to estimate this. I think that the numbers show a quality differential between mediawiki and the others but if we want to evaluate more than that, I think we have to start looking for better criteria like Mark Cox's days of risk and actually evaluating upstream's code.
-Toshio
infrastructure@lists.fedoraproject.org