[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Axiom-developer] RE: mathaction security

From: Page, Bill
Subject: [Axiom-developer] RE: mathaction security
Date: Thu, 10 Feb 2005 10:54:11 -0500

On Wednesday, February 09, 2005 4:33 AM William Sit wrote:
> I do not mean to exclude anyone. However, I do not want to 
> plant any idea into someone's head outside the group that
> the site is not secure, if indeed it is not.

There are several ways in which the current
site is not "secure" - some of these ways are by design (because
it is intended to be an open interactive system) and some are
due to financial and resource constraints. I think that the
current situation amounts to an "acceptible risk", in that
sense. In my opinion in general, trying to control knowledge
is not the right way to manage risk. By now there are already
many thousands of people out there who could inflict damage
on this system if they wanted too. But I think that for the
forseeable future we can continue to promote an environment
where no one wants to do this. Perhaps I am naive?

> Also, this is not related to Axiom.

You are right. But I think most Axiom developers do care
about how the project is managed and the tools that we
have available to help.

> > There are however several aspects of the design of
> > MathAction that helps to protect against malicious use.
> > One of these things is that no one (except the
> > administrator - me) can actually delete pages and a
> > complete history of all changes (diffs) is maintained
> > by the system. If necessary it is possible to "undo"
> > all the changes that someone might make to a page.
> That's good (that only you can delete pages). However, it
> is still a lot of work to reconstruct pages from diffs.

Actually Zope makes reconstructing pages VERY EASY. In the
Zope management interface there is an 'Undo' option for
each page. If you click 'Undo' you are presented with a
list of changes and checkboxes to indicate which changes
you want to reverse. Then all one needs to do is click
'Undo Selected Changes' and presto, the page is back to
the way it was.

> > > Do we have an incremental backup of the site?
> > 
> > Backup is something that we need to think more about. The
> > short answer is "no".
> > 
> ... 
> Do you mean the backup is just storing another copy on the 
> server?


> Is it not possible to zip the entire site and download it off
> the server?

Yes. Right now the tar gzip'd contents of the MathAction site
(not including the programs) is about 260 Mb. -a large download
over the Internet but not unmanagable. The problem is only that
we do not have another machine dedicated for the purpose and
we do not have any regular (automatic) procedures in place to
do it.

> > In general as we depend on more this site, I agree that we
> > need to spend more effort on it - including more money for
> > a faster (dedicated?) server and associated backup services
> > etc. But money is one thing that the Axiom Foundation has
> > not yet succeeded in attracking.
> What would be an estimate of the cost involved? I would be 
> willing to share some of the cost.

I think Tim is paying somewhere in the neighborhood of $80
per month of the current shared virtual server at RoseHosting.
I expect that for about $20 more, RoseHosting could probably
provide a reasonable regular backup service. But someone (Tim?)
will have to make inquirys about this.

> Like Tim, I do not support the idea of compensating open source
> programmers (not that they do not deserve monetary rewards, 
> but that they deserve far more than contributions to Axiom
> Foundation can pay them, and administration would be quite
> difficult and a diversion of the time for the awards committee),
> and for some other different reasons, I have not contributed
> to the Axiom Foundation.

One of the goals of the Axiom Foundation was also to support
the maintenance and operation of the axiom-developer web site.
The concept of a "bounty" for programmers just seemed like
a "sexy" idea that is working for some other open source
projects. But, sadly even though the access rate to the
MathAction website is now more than 2,000 users per month
and the Windows version of Axiom has been downloaded many
more thousands of times, we still do not seem to be able
to attract donations. The total collected so far is only
about $450.

> > ... 
> > > However, it may be better to just add this feature
> > > "quietly."
> > 
> > I don't see any way to "add" (i.e. actually take away)
> > features "quietly". Why do you feel there is any need to
> > do it "quietly"?
> By "quietly" I simply mean that the administrator (you) put 
> up a login button next to the edit button. I do not see any
> need to have this discussed openly,just like you designed
> the layout for MathAction without any discussion, and you
> did a fantastic job.

But then there were no users of the site, now there are
thousands of accesses per day. The original design was easy -
although at various times I did try to discuss it openly on
the Axiom Developer email list. (See email archives.)

> But if you feel strongly that requiring a login is taking
> away this "open" feature of Wiki, I can understand that. I 
> like the open feature too, but I do not think requiring a
> login diminishes that openness that much. It can be made
> much like ftp anonymous login: use the email address as
> password.

I suppose ... but already I am involved in so many different
web sites that require login that I am not really able to
manage different user ids, passwords etc. I do end up using
the same id in most cases, so in the end it is just a hassle
and still not really secure. I expect many people are in the
same situation.

Anyway, thanks to some new innovations of the people who
developed the ZWiki program on which MathAction is based,
we seem to have a new option to consider. It is now possible
to implement a mixed Wiki/Portal system that provides an
easily controllable range of user authentication and open
access. I have a test version of this system installed at

If you have some time and a machine that reliably accessed
the Internet, I would be very interested in your opinions
about this new approach.

> > Pity. I think your input into MathAction would be very
> > valuable.
> Thanks. When I get the problem fixed, I'll certainly 
> participate more on MathAction.


Bill Page.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]