Re: [Savannah-hackers] Re: A request for the website on behalf of the GNU project

[Hugo Gayosso]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I will try to answer some of the questions, the rest of the
savannah-hackers, please complete what I am missing.


> OK, Lets start with an ftp site mirror, and a website mirror.
> 
> Do you have a written policy? e.g.:

At: <http://savannah.gnu.org> you will find a few links to different
kinds of documentation, including webmastering, please check it up.


> Practical matters:
> -- who do I ask for an acount/password?

http://savannah.gnu.org

"Register as a new user", everything is handled automatically if your
project is already part of GNU and if you already have an account in
GNU machines.

If you already have an account on the GNU machines, user your kerberos
password to log in and then change it to something else.


> -- what should the directory structure be?

WWW:

You are given a directory, and under this directory you are free to
use the structure you want.

CVS:

You are given one repository and you are free to have the structure
you want.


> -- how do I get usage/hit/download statistics?


I don't know if there is something already installed to do it now.


> -- do you have recommended rsync proceedures and scripts?

To rsync from where to where (and what, CVS, WWW??)  ?



> Policy:
> -- Do you host precompiled binaries?  In the past, FSF has been reticent
>    about doing this.

I think there will be no problem, but I would prefer somebody to
re-confirm this.


> -- Style: Can I keep my web pages in whatever style, or are there style
>    guidelines?  Are banner ads allowed?  Are other marketing come-ons
>    and plugs allowed?


For web pages on www.gnu.org you have to follow the GNU Web
guidelines, and we would like to have at least one page on
"/software/gnucash", if you prefer other things, you can make the link
on the project page (at savannah) to point somewhere else.


> Security issues:
> -- Should we md5/gpg sign all our soruces and binaies? I beleive we
>    should, but do you have any particular recommendations?
>    (I'm particularly nervous because I don't want to wake up someday
>    and read on slashdot about how some trojan horse in gnucash has been
>    e-mailing credit-card numbers to wherever).

We have been discussing about this (not only for savannah), but we
haven't get a solution yet.


> -- what's the best (automated?) way I can assure that some hacker hasn't 
>    busted into your site & altered the binaries (or source)?  Do you
>    have any recommended scripts for rsync+md5 checking?


Somebody, please comment on this.


> > > 2) Surveys. I want to create a user survey ('what new
> > > features..etc.)  I think I finally found some good s/w for that,
> > > but its sql-backended and I'm paranoid about administering the
> > > security aspects of that.  Thus, if fsf provided that, I might
> > > actually realy really consider it.

Somebody, please comment on this.


> > Perhaps you could work with Loic and the other savannah-hackers to get this
> > software set up on savannah.  Perhaps they could check the security issues,
> > too?
> > 
> > savannah-hackers: are you willing?

Yep. :)


> I've been playing with PHPesp (espPHP?) as a survey tool.  It seems
> to provide a good infrastructure for creating and managing surveys &
> reviewing the statistics.  But I have not at all figured out if it
> has security holes in it, or other risks I should be aware of.

I have added a task in the savannah-hackers task list to investigate
it. Thanks for your suggestion.

Greetings,
- -- 
Hugo Gayosso
Support the Free Software
Support the GNU Project 
http://www.gnu.org
http://wildebeest.penguinpowered.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6omyxMNObVRBZveYRAtatAJ4uYoUxqe6xoNG8gm9jMaMKDcIZigCfSGL9
ZQqMxuTwVVe0aWtxeRNxB/E=
=gVoo
-----END PGP SIGNATURE-----