Menu
▾
▴
slashcode-general — This is the general discussion list. Install questions welcome.
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
(30) |
Mar
(123) |
Apr
(188) |
May
(90) |
Jun
(68) |
Jul
(129) |
Aug
(72) |
Sep
(97) |
Oct
(99) |
Nov
(168) |
Dec
(35) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(75) |
Feb
(55) |
Mar
(104) |
Apr
(49) |
May
(12) |
Jun
(11) |
Jul
(47) |
Aug
(104) |
Sep
(14) |
Oct
(26) |
Nov
(31) |
Dec
(10) |
| 2003 |
Jan
(78) |
Feb
(76) |
Mar
(47) |
Apr
(30) |
May
(19) |
Jun
(36) |
Jul
(48) |
Aug
(43) |
Sep
(54) |
Oct
(25) |
Nov
(79) |
Dec
(39) |
| 2004 |
Jan
(43) |
Feb
(14) |
Mar
(17) |
Apr
(15) |
May
(18) |
Jun
(20) |
Jul
(7) |
Aug
(30) |
Sep
(49) |
Oct
(17) |
Nov
(14) |
Dec
(72) |
| 2005 |
Jan
(55) |
Feb
(27) |
Mar
(34) |
Apr
(15) |
May
(8) |
Jun
(23) |
Jul
(7) |
Aug
(19) |
Sep
(3) |
Oct
(44) |
Nov
(3) |
Dec
|
| 2006 |
Jan
(20) |
Feb
(5) |
Mar
(8) |
Apr
(12) |
May
(16) |
Jun
(22) |
Jul
(39) |
Aug
(65) |
Sep
(4) |
Oct
(11) |
Nov
|
Dec
(5) |
| 2007 |
Jan
(2) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(28) |
Jun
(6) |
Jul
(3) |
Aug
(9) |
Sep
(15) |
Oct
|
Nov
(12) |
Dec
(2) |
| 2008 |
Jan
(3) |
Feb
(14) |
Mar
|
Apr
(4) |
May
|
Jun
(12) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(1) |
| 2009 |
Jan
|
Feb
(2) |
Mar
(4) |
Apr
|
May
|
Jun
(14) |
Jul
|
Aug
(1) |
Sep
(66) |
Oct
(21) |
Nov
|
Dec
(1) |
| 2010 |
Jan
(2) |
Feb
(2) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(100) |
Mar
(17) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
|
From: Larson, T. E. <TEL...@we...> - 2008-06-20 12:50:52
|
Mike Hearn <> wrote:
> I don't think slashdot would be any poorer if it were simply scrapped.
> Thoughts?
I agree. "Overrated" is metamoderation done in moderation. I wouldn't mind
changing it to a -0 "Disagree" so that moderators (who cannot reply lest
their moderations be undone) can still "comment" in this way. If they want
to burn a mod point, let them go ahead. But it shouldn't affect the post's
score. The expanded view of moderations on the post would still show how
many disagreements there were, though.
Tim
--
Tim Larson AMT2 Unix Systems Administrator
InterCall, a division of West Corporation
Eschew obfuscation!
|
|
From: Mike H. <mi...@pl...> - 2008-06-20 11:33:16
|
This is something that has been bugging me for many years now. I have many comments on Slashdot that have been modded up, and then modded down again using "overrated" for no reason. The last post that this happened to simply quoted a part of the article that apparently offended the groupthink. What is the point of these overrated mods? The only time I've ever seen overrated being used, it's by abusive moderators who know a post is not trolling or flamebait, but don't like it for personal reasons. The way it doesn't leave any trace is doubly appealing for these people. Also, IIUC overrated mods are not meta-moderated. How comes? I don't think slashdot would be any poorer if it were simply scrapped. Thoughts? |
|
From: Manu S. <ms...@di...> - 2008-06-18 17:42:37
|
Are there any plans to support RDFa[1] on Slashdot or in Slashcode in the near future? I ask because I'm on the RDFa Task Force at the W3C and because we have been working with technology news sites (Digg.com) to enable semantic web markup in those sites. A couple of other things we were wondering: - Could we submit a patch to Slashcode that adds RDFa support to pages? The first pass would add Dublin Core[2] elements to describe title, abstract, source links and perhaps people. This would allow search indexers to more accurately categorize Slashcode-run sites in the future. - Are there plans to support Microformats[3]? Would you accept a patch to enable Microformats support in stories as well? - If a patch is accepted, what are the chances that Slashdot would start serving RDFa-enabled web pages? -- manu [1] http://rdfa.info/wiki/RDFa_Wiki [2] http://dublincore.org/documents/dces/ [3] http://microformats.org/ -- Manu Sporny President/CEO - Digital Bazaar, Inc. blog: Dynamic Spectrum Auctions and Digital Marketplaces http://blog.digitalbazaar.com/2008/04/24/dynamic-spectrum-auctions/ |
|
From: Chris N. <pu...@sl...> - 2008-06-09 21:17:52
|
Two longstanding security issues were found and fixed in Slash, the code that powers Slashdot (http://slashdot.org/), in May 2008. The second of the two -- found and reported to us by Scott R. White <sw...@se... >, of http://www.securestate.com/ -- is easily exploitable and must be fixed immediately on all Slash 2.x sites. The first, found and fixed on May 1, was a problem with filtering certain types of form data: form inputs where the form name is matched against a regex. At some point years ago, during refactoring, the code was changed to use a named variable, instead of the default variable, so the matching was not actually being done, and the corresponding values were not being properly sanitized. http://github.com/scc/slash/commit/cf5866dca5f4670a947795926040551306790998 No known exploits -- either for the database, or cross-site scripting (XSS) -- exist for this issue, but though a code review was performed and a way was not found to abuse it, that doesn't mean it couldn't be abused. The second issue, found and fixed on May 23, is similar: the code to properly filter the "sid" of a story was not anchored properly, and additional data could be tacked onto the value and left unsanitized. Thanks to Scott R. White for alerting us to the problem. http://github.com/scc/slash/commit/fda1c295ac0f45938e48f57f40605cb2dc8033cc As with the above issue, no known database exploits exist for this issue, HOWEVER it is easily exploitable with standard XSS techniques, and all Slash sites MUST either UPDATE to the latest code, or use the patch at the URL above to manually fix their site. Both issues have existed for years. If you are on Slash 2.x, you are almost certainly affected. We will be making a more public announcement on the announce list and the web site next week, so this is your heads-up to get it fixed. Contact me directly, or reply here on the list, if you have any questions. As always (not that this happens often!), please contact us about security matters at sec...@sl..., and feel free to join the low-traffic slashcode-general mailing list to keep updated on security- related matters. https://lists.sourceforge.net/lists/listinfo/slashcode-general -- Chris Nandor pu...@sl... http://slashdot.org/ |
|
From: Shane Z. <sh...@lo...> - 2008-04-16 12:27:17
|
On Apr 15, 2008, at 9:49 PM, Ken Tiller wrote: > Thanks Shane. I applied your patch and followed your instructions, but > install-plugin hung on execution for a couple of hours, so I killed > it, and > then followed the uninstall instructions linked from my first > message, and > then rebuilt. > > This time all the steps followed through smoothly, and I installed > Tags > along with the rest of the plugins at the install slashsite stage. > > I have now been able to start Apache, and start slash. When I visit > the URL > of the slashsite (same as the one from the install-slashsite > questions), > nothing displays. It's behaving just like a normal Apache. > > I have looked through the troubleshooting tips and can confirm: > > - Apache error log is clean (excepting File does not exist messages) > - mod_perl was built with PERL_MARK_WHERE=1 EVERYTHING=1 > - httpd.conf does indeed include the slash conf file, which does > indeed > include the site specific conf file > > The slash daemon has been running for 48 hours now. > > I feel like I'm missing something fundamental. Well this sounds like an apache problem. The general troubleshooting rule is to remove any other includes, such that the only "thing" running under your apache 1.3 is slash. Make sure the hostname you made up for the thing, that you told install-slashsite, is in your /etc/hosts or your internal DNS for the IP httpd's using. Then start with the apachectl configtest, apachectl start. You can save yourself some time, if, after doing an install-slashsite (and before you fire up apache) you do the equivalent to the following: /usr/local/slash/bin/symlink-tool -u slash -U /usr/local/slash/bin/runtask -u slash new_headfoot /usr/local/slash/bin/runtask -u slash freshenup /etc/rc.d/init.d/slash start /usr/local/apache/bin/apachectl start the new_headfoot && freshenup, by running those tasks by hand, ensure that the .shtml's are written to disk. So even if you have something wrong with your Perl/Apache setup, you can hit mysite.tld.com/ index.shtml and see a normally-rendered page. Which once you hit that then you'd know Apache and your machine are OK and start looking at other areas of your Apache configuration. Shane PS you can also try the IRC channel for "insta-help" :) |
|
From: Ken T. <tec...@ho...> - 2008-04-16 01:49:36
|
Thanks Shane. I applied your patch and followed your instructions, but install-plugin hung on execution for a couple of hours, so I killed it, and then followed the uninstall instructions linked from my first message, and then rebuilt. This time all the steps followed through smoothly, and I installed Tags along with the rest of the plugins at the install slashsite stage. I have now been able to start Apache, and start slash. When I visit the URL of the slashsite (same as the one from the install-slashsite questions), nothing displays. It's behaving just like a normal Apache. I have looked through the troubleshooting tips and can confirm: - Apache error log is clean (excepting File does not exist messages) - mod_perl was built with PERL_MARK_WHERE=1 EVERYTHING=1 - httpd.conf does indeed include the slash conf file, which does indeed include the site specific conf file The slash daemon has been running for 48 hours now. I feel like I'm missing something fundamental. |
|
From: Shane Z. <sh...@lo...> - 2008-04-14 18:13:10
|
On Apr 14, 2008, at 8:38 AM, Ken Tiller wrote: > I am attempting to install slash on CentOS 4. I previously installed > from the tarball, then found this mailing list and uninstalled using > these instructions: > http://sourceforge.net/mailarchive/message.php?msg_name=B6DE443E-8863-4535-8AD1-62FAB0E18CD4%40lottadot.com > > I since used CVS to get tag T_2_5_0_200 of slash and the install > seemed to go fine until I hit step 7 "Start it up". At that point, > Apache gave this error: > > [root slash]# /usr/local/slash-apache/bin/httpd -f /usr/www/ > honestken/httpd/conf/httpd.conf > Syntax error on line 22 of /usr/local/slash/site/honestken.com/ > honestken.com.conf: > Can't call method "getTagnameidCreate" on an undefined value at /usr/ > lib/perl5/site_perl/5.8.5/Slash/Clout.pm line 37. > > Now, the INSTALL file says this is a problem with DB connection, but > install-slashsite already created all the MySQL tables successfully. > I did all the tests for DB connectivity listed in INSTALL and my > setup is passing them all. Looking in the code, the problem variable > is not $slashdb, it is $tags_reader. > > Is my error still caused by DB problems, or could it be something > else? > > Thank you, > Ken > There seems to be an error in the code that assumes each site has the Tags plugin installed. So if you didn't install it, you'll see errors such what you quoted. Now, the solution for you would normally be 'just install the Tags plugin' by using the install-plugin tool, until this is fixed. However, you can't. The latest code also has a problem with plugins/ Tags/mysql_schema.sql so the plugin will install, but it's missing tables from the DB when the plugin install completes. Which has the consequence that it'll break your installed site. The solution therefore is to patch that file, run a make install on the whole src tree, then run install-plugin, then restart httpd. (or wait till a fix is committed and a new T-tag is created and upgrade your cvs checkout to that tag - but who's got the patience for that?!? :) Now, I don't know if my patch (see below) is technically correct because it adds an auto increment where there wasn't one. But once I applied this patch, I could successfully install the Slash::Tags plugin, and all errors went away and everything worked like a champ. And I'm guessing the t-tag you chose to checkout is fairly close to recent CVS-HEAD, so your checkout has the same problem. Shane patch: cooliod:current.untouched shane$ cvs diff plugins/tags cvs diff: Diffing plugins/tags Index: plugins/tags/mysql_schema.sql =================================================================== RCS file: /cvsroot/slashcode/slash/plugins/Tags/mysql_schema.sql,v retrieving revision 1.18 diff -r1.18 mysql_schema.sql 37c37 < # tagname_cache is not normalized because it's intended to be used --- > # tagname_cache is not normalized because it is intended to be used 42c42 < tagnameid int UNSIGNED NOT NULL, --- > tagnameid int UNSIGNED NOT NULL AUTO_INCREMENT, 44d43 < weight FLOAT UNSIGNED DEFAULT 0.0 NOT NULL, 46c45 < UNIQUE tagname (tagname), --- > UNIQUE tagname (tagname) |
|
From: Ken T. <tec...@ho...> - 2008-04-14 12:39:07
|
I am attempting to install slash on CentOS 4. I previously installed from the tarball, then found this mailing list and uninstalled using these instructions: http://sourceforge.net/mailarchive/message.php?msg_name=B6DE443E-8863-4535-8AD1-62FAB0E18CD4%40lottadot.com I since used CVS to get tag T_2_5_0_200 of slash and the install seemed to go fine until I hit step 7 "Start it up". At that point, Apache gave this error: [root slash]# /usr/local/slash-apache/bin/httpd -f /usr/www/honestken/httpd/conf/httpd.conf Syntax error on line 22 of /usr/local/slash/site/honestken.com/honestken.com.conf: Can't call method "getTagnameidCreate" on an undefined value at /usr/lib/perl5/site_perl/5.8.5/Slash/Clout.pm line 37. Now, the INSTALL file says this is a problem with DB connection, but install-slashsite already created all the MySQL tables successfully. I did all the tests for DB connectivity listed in INSTALL and my setup is passing them all. Looking in the code, the problem variable is not $slashdb, it is $tags_reader. Is my error still caused by DB problems, or could it be something else? Thank you, Ken |
|
From: Cristian F. <cri...@gm...> - 2008-02-26 20:59:21
|
Fucking lame (stone age hippies)! Maybe we should have left linux at version 2.0. That should be enough for you, right? If you don't need it nobody does. If you make use of something free, give something back you 4chan-ers. Don't obfuscated it under the pile of garbage that is the slashdot code. NO security updates. NO fucking nothing: no help, no themes, no updates. But, of course, you expect respect for what you do, sure. Please, make something useful, you bunch of hypocritical hippies, from what you take from others. On Tue, Feb 26, 2008 at 2:22 PM, Shane Zatezalo <sh...@lo...> wrote: > > On Feb 25, 2008, at 7:09 PM, Andre-John Mas wrote: > > > > > On 25-Feb-08, at 18:25 , Shane Zatezalo wrote: > > > >> > >> On Feb 22, 2008, at 3:18 PM, Andre-John Mas wrote: > >> > >>> Hi, > >>> > >>> With the constant reminder that IPv6 is on its way, I would be > >>> interested to know if anyone has tried running Slashcode on an IPv6 > >>> based Apache 2 and network? I don't imagine that there would be much > >>> in the way of issues, but I would be curious to know whether any > >>> turned up. > >> > >> > >> Well seeing as Slash doesn't run under Apache 2 yet (see 'INSTALL' > >> file for more info I think it's in there) I'd say no :( > > > > I didn't see anything about Apache 2 not being support in the > > documents. > > All I see are the minimum supported versions. Doing a search of the > > internet shows compatibility issues, but the posts generally date 2004 > > and before. > > > > cooliod:current.untouched shane$ pwd > /Users/shane/src/slash/current.untouched > cooliod:current.untouched shane$ grep -ie 'Apache 2' * > INSTALL: not compatible with Apache 2.x and we have no plans to > port to 2.x > > :) > > > > Is there a list of outstanding issues, with regards to Apache 2 and > > Slashcode? > > That I don't know about. Maybe one of the OSTG guys will pipe in. I > think there might have been an article on slashcode.com about it at > one point or another. If memory serves, someone had started the > modifications to make it work under Apache 2, or had got it working. I > think at that time, modperl2 wasn't done yet. But if either happened, > I don't recall ever seeing a patch submitted to Slash's sourceforge > homepage with the needed changes. > > I could be wrong. I'd check the bugs-list, patch list and feature > request list on the sf homepage. > > A subject change of Apache 2 and modperl 2 might be in order for the > thread. That may get it more attention. I nearly ignored it because > we, here, have no interest wrt IPv6. > > Hope that helps. > > Shane > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Slashcode-general mailing list > Sla...@li... > https://lists.sourceforge.net/lists/listinfo/slashcode-general > |
|
From: Shane Z. <sh...@lo...> - 2008-02-26 14:22:07
|
On Feb 25, 2008, at 7:09 PM, Andre-John Mas wrote: > > On 25-Feb-08, at 18:25 , Shane Zatezalo wrote: > >> >> On Feb 22, 2008, at 3:18 PM, Andre-John Mas wrote: >> >>> Hi, >>> >>> With the constant reminder that IPv6 is on its way, I would be >>> interested to know if anyone has tried running Slashcode on an IPv6 >>> based Apache 2 and network? I don't imagine that there would be much >>> in the way of issues, but I would be curious to know whether any >>> turned up. >> >> >> Well seeing as Slash doesn't run under Apache 2 yet (see 'INSTALL' >> file for more info I think it's in there) I'd say no :( > > I didn't see anything about Apache 2 not being support in the > documents. > All I see are the minimum supported versions. Doing a search of the > internet shows compatibility issues, but the posts generally date 2004 > and before. > cooliod:current.untouched shane$ pwd /Users/shane/src/slash/current.untouched cooliod:current.untouched shane$ grep -ie 'Apache 2' * INSTALL: not compatible with Apache 2.x and we have no plans to port to 2.x :) > Is there a list of outstanding issues, with regards to Apache 2 and > Slashcode? That I don't know about. Maybe one of the OSTG guys will pipe in. I think there might have been an article on slashcode.com about it at one point or another. If memory serves, someone had started the modifications to make it work under Apache 2, or had got it working. I think at that time, modperl2 wasn't done yet. But if either happened, I don't recall ever seeing a patch submitted to Slash's sourceforge homepage with the needed changes. I could be wrong. I'd check the bugs-list, patch list and feature request list on the sf homepage. A subject change of Apache 2 and modperl 2 might be in order for the thread. That may get it more attention. I nearly ignored it because we, here, have no interest wrt IPv6. Hope that helps. Shane |
|
From: Andre-John M. <aj...@sy...> - 2008-02-26 00:10:04
|
On 25-Feb-08, at 18:25 , Shane Zatezalo wrote: > > On Feb 22, 2008, at 3:18 PM, Andre-John Mas wrote: > >> Hi, >> >> With the constant reminder that IPv6 is on its way, I would be >> interested to know if anyone has tried running Slashcode on an IPv6 >> based Apache 2 and network? I don't imagine that there would be much >> in the way of issues, but I would be curious to know whether any >> turned up. > > > Well seeing as Slash doesn't run under Apache 2 yet (see 'INSTALL' > file for more info I think it's in there) I'd say no :( I didn't see anything about Apache 2 not being support in the documents. All I see are the minimum supported versions. Doing a search of the internet shows compatibility issues, but the posts generally date 2004 and before. Is there a list of outstanding issues, with regards to Apache 2 and Slashcode? Andre |
|
From: Shane Z. <sh...@lo...> - 2008-02-25 23:25:58
|
On Feb 22, 2008, at 3:18 PM, Andre-John Mas wrote: > Hi, > > With the constant reminder that IPv6 is on its way, I would be > interested to know if anyone has tried running Slashcode on an IPv6 > based Apache 2 and network? I don't imagine that there would be much > in the way of issues, but I would be curious to know whether any > turned up. Well seeing as Slash doesn't run under Apache 2 yet (see 'INSTALL' file for more info I think it's in there) I'd say no :( |
|
From: Andre-John M. <aj...@sy...> - 2008-02-22 20:18:43
|
Hi, With the constant reminder that IPv6 is on its way, I would be interested to know if anyone has tried running Slashcode on an IPv6 based Apache 2 and network? I don't imagine that there would be much in the way of issues, but I would be curious to know whether any turned up. Andre |
|
From: Shane Z. <sh...@lo...> - 2008-02-16 14:29:42
|
Here's the 2.2.6 tarball with the two security patches in-place. Note, I didn't use the exact patches that (I think Jamie) had created, because some of the variable names in them just don't even exist for 2.2.6. http://lottadot.com/slash-2.2.6a.tar.gz FYI, I think the original poster is correct in requesting this. It seems as though the tarball file should have been patched and replaced. This took about a grand total of 2 minutes to do. I don't see how "time" is an argument for not doing it, it's a security hole! (my $.02) Please someone from SF consider updating the tarball on the slash SF page with the new one linked above. Quite honestly if some kind soul were to have the time, they should go through all/any of the relevant issued patches on slashcode.com and apply them against the 2.2.6 tarball and re-release it entirely. (I think there was a DST fix somewhere along the lines, etc). Which, I'd consider doing but I don't have the time at the moment. Oh wait, didn't I just complain about that earlier? ;) As far as Rob stating that Slashdot doesn't use tarballs, so it's not a priority for them. Fair enough. We do the exact same thing. In-fact, I've hardly ever over the past few years put a tarball together of something I'm GPL'ing (and I occasionally get a nasty email telling me I'm a jerk for not doing that). Would it be possible for the sourceforge-cvs setup to generate a tarball every time a T-tag is committed on Thursday mornings and remove the prior t-tag's tarball? Maybe this could be done with R-tags too? The only way it'd be worth anything is if it's automated so no person has to deal with it each week. I've seen other projects that have an automated build system, so maybe this is something that could be setup easily? I've never hosted a project on SF so I honestly don't know if this is possible or the amount of time it would take one to set it up. Shane On 2/16/08, Rob Malda <ma...@sl...> wrote: > > At risk of sounding like a jerk, Slashdot doesn't use the releases at > all. We deploy from the tagged versions... so creating a tarball and > a release is simply not a priority for us. > > I'd love to see releases happen, but given the thousand other things > on the TODO list that directly impact our day to day operations, I > have a hard timing giving it any real priority. > > > > On Feb 16, 2008, at 7:36 AM, Penang A1 wrote: > > > Since I'm the one who asked the original question, please allow me > > to state why I asked that question ... > > > > Many years ago I set up a site using slashcode. Worked flawlessly ! > > > > Recently, as I was preparing to set up another side with slashcode, > > lo and behold, an announcement of a serious security issue ! So I > > went to sourceforge and check ... and was disturbed to find out that > > the files there were all the old ones ! > > > > It's not that I can't do the update as described by others, the main > > reason I post that original question is because I am thinking of > > ***THE NEW USERS*** who want to try out slashcode but aren't aware > > of the security issue. > > > > Or it could be that people knew about the security issue, but > > thought (wrongly!) that the slashcode files at sourceforge contain > > the fix already, and therefore are safe to use ! > > > > We shouldn't be thinking just for people like us, the long time > > users. There _are_ others who don't even know about this mailing > > list ! > > > > Let me post the question this way: > > If people use slashcode and got their sites hacked, > > wouldn't it tarnish the reputation of slashcode? > > > > We wouldn't want that, do we?? > > > > Hence, can someone please do all of us a favor, please update the > > slashcode files at sourceforge with the fix. > > > > Thank you all for reading !! > > > > > > Lee > > > > > > > Date: Fri, 15 Feb 2008 10:10:04 +0100 > > > From: ab...@no... > > > To: sla...@li... > > > Subject: Re: [Slashcode-general] Will there be a new slashcode > > releaseat sourceforge ? > > > > > > Hi, > > > > > > On Thu, Feb 14, 2008 at 07:17:04PM -0500, Shane Zatezalo wrote: > > > > I think the reason why you see people asking for a point-release > > is > > > > because the point-release would typically have included in it a > > > > scripted-method to upgrade from prior version(s). > > > > > > Ack. That's one of parts really necessary for a distribution if they > > > want to ship Slashcode as package: An automatable upgrade path. > > > > > > > Also, the point release would have to have some serious testing > > and > > > > what-not done to it before it could be released. > > > > > > Another point of stable releases which would make it more suitable > > for > > > packaging and especially later maintaining. > > > > > > Regards, Axel > > > -- > > > Axel Beckert - ab...@de..., ab...@no... - > http://noone.org/abe/ > > > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Slashcode-general mailing list > > > Sla...@li... > > > https://lists.sourceforge.net/lists/listinfo/slashcode-general > > > > Express yourself instantly with MSN Messenger! MSN Messenger > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ > > Slashcode-general mailing list > > Sla...@li... > > https://lists.sourceforge.net/lists/listinfo/slashcode-general > > > > --- > Rob "CmdrTaco" Malda > ma...@sl... > Pants are Optional. > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Slashcode-general mailing list > Sla...@li... > https://lists.sourceforge.net/lists/listinfo/slashcode-general > |
|
From: Rob M. <ma...@sl...> - 2008-02-16 13:32:01
|
At risk of sounding like a jerk, Slashdot doesn't use the releases at all. We deploy from the tagged versions... so creating a tarball and a release is simply not a priority for us. I'd love to see releases happen, but given the thousand other things on the TODO list that directly impact our day to day operations, I have a hard timing giving it any real priority. On Feb 16, 2008, at 7:36 AM, Penang A1 wrote: > Since I'm the one who asked the original question, please allow me > to state why I asked that question ... > > Many years ago I set up a site using slashcode. Worked flawlessly ! > > Recently, as I was preparing to set up another side with slashcode, > lo and behold, an announcement of a serious security issue ! So I > went to sourceforge and check ... and was disturbed to find out that > the files there were all the old ones ! > > It's not that I can't do the update as described by others, the main > reason I post that original question is because I am thinking of > ***THE NEW USERS*** who want to try out slashcode but aren't aware > of the security issue. > > Or it could be that people knew about the security issue, but > thought (wrongly!) that the slashcode files at sourceforge contain > the fix already, and therefore are safe to use ! > > We shouldn't be thinking just for people like us, the long time > users. There _are_ others who don't even know about this mailing > list ! > > Let me post the question this way: > If people use slashcode and got their sites hacked, > wouldn't it tarnish the reputation of slashcode? > > We wouldn't want that, do we?? > > Hence, can someone please do all of us a favor, please update the > slashcode files at sourceforge with the fix. > > Thank you all for reading !! > > > Lee > > > > Date: Fri, 15 Feb 2008 10:10:04 +0100 > > From: ab...@no... > > To: sla...@li... > > Subject: Re: [Slashcode-general] Will there be a new slashcode > releaseat sourceforge ? > > > > Hi, > > > > On Thu, Feb 14, 2008 at 07:17:04PM -0500, Shane Zatezalo wrote: > > > I think the reason why you see people asking for a point-release > is > > > because the point-release would typically have included in it a > > > scripted-method to upgrade from prior version(s). > > > > Ack. That's one of parts really necessary for a distribution if they > > want to ship Slashcode as package: An automatable upgrade path. > > > > > Also, the point release would have to have some serious testing > and > > > what-not done to it before it could be released. > > > > Another point of stable releases which would make it more suitable > for > > packaging and especially later maintaining. > > > > Regards, Axel > > -- > > Axel Beckert - ab...@de..., ab...@no... - http://noone.org/abe/ > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Slashcode-general mailing list > > Sla...@li... > > https://lists.sourceforge.net/lists/listinfo/slashcode-general > > Express yourself instantly with MSN Messenger! MSN Messenger > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ > Slashcode-general mailing list > Sla...@li... > https://lists.sourceforge.net/lists/listinfo/slashcode-general --- Rob "CmdrTaco" Malda ma...@sl... Pants are Optional. |
|
From: Penang A1 <pen...@ho...> - 2008-02-16 12:36:48
|
Since I'm the one who asked the original question, please allow me to state why I asked that question ...
Many years ago I set up a site using slashcode. Worked flawlessly !
Recently, as I was preparing to set up another side with slashcode, lo and behold, an announcement of a serious security issue ! So I went to sourceforge and check ... and was disturbed to find out that the files there were all the old ones !
It's not that I can't do the update as described by others, the main reason I post that original question is because I am thinking of ***THE NEW USERS*** who want to try out slashcode but aren't aware of the security issue.
Or it could be that people knew about the security issue, but thought (wrongly!) that the slashcode files at sourceforge contain the fix already, and therefore are safe to use !
We shouldn't be thinking just for people like us, the long time users. There _are_ others who don't even know about this mailing list !
Let me post the question this way:
If people use slashcode and got their sites hacked,
wouldn't it tarnish the reputation of slashcode?
We wouldn't want that, do we??
Hence, can someone please do all of us a favor, please update the slashcode files at sourceforge with the fix.
Thank you all for reading !!
Lee
> Date: Fri, 15 Feb 2008 10:10:04 +0100
> From: ab...@no...
> To: sla...@li...
> Subject: Re: [Slashcode-general] Will there be a new slashcode releaseat sourceforge ?
>
> Hi,
>
> On Thu, Feb 14, 2008 at 07:17:04PM -0500, Shane Zatezalo wrote:
> > I think the reason why you see people asking for a point-release is
> > because the point-release would typically have included in it a
> > scripted-method to upgrade from prior version(s).
>
> Ack. That's one of parts really necessary for a distribution if they
> want to ship Slashcode as package: An automatable upgrade path.
>
> > Also, the point release would have to have some serious testing and
> > what-not done to it before it could be released.
>
> Another point of stable releases which would make it more suitable for
> packaging and especially later maintaining.
>
> Regards, Axel
> --
> Axel Beckert - ab...@de..., ab...@no... - http://noone.org/abe/
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Slashcode-general mailing list
> Sla...@li...
> https://lists.sourceforge.net/lists/listinfo/slashcode-general
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ |
|
From: Axel B. <ab...@no...> - 2008-02-15 11:23:47
|
Hi, On Thu, Feb 14, 2008 at 07:17:04PM -0500, Shane Zatezalo wrote: > I think the reason why you see people asking for a point-release is > because the point-release would typically have included in it a > scripted-method to upgrade from prior version(s). Ack. That's one of parts really necessary for a distribution if they want to ship Slashcode as package: An automatable upgrade path. > Also, the point release would have to have some serious testing and > what-not done to it before it could be released. Another point of stable releases which would make it more suitable for packaging and especially later maintaining. Regards, Axel -- Axel Beckert - ab...@de..., ab...@no... - http://noone.org/abe/ |
|
From: Shane Z. <sh...@lo...> - 2008-02-15 00:17:13
|
On Feb 13, 2008, at 2:52 PM, Larson, Timothy E. wrote: > William Scott Lockwood III <> wrote: >> Ever? > > I think the idea for a long time now has been that you can always pull > the most recent stable tag from public CVS, so why do you need a > tarball? > > A quarterly(?) notice (on this list and the site) as to what that > tag is > would be nice, though. Well, it's not that difficult to find out what the latest tag is: Macintosh-2:~ shane$ cd /tmp Macintosh-2:tmp shane$ cvs -d:pserver:ano...@sl... :/cvsroot/slashcode login Logging in to :pserver:ano...@sl...:2401/ cvsroot/slashcode CVS password: Macintosh-2:tmp shane$ cvs -z3 -d:pserver:ano...@sl... :/cvsroot/slashcode co slash Macintosh-2:tmp shane$ tail -50 /tmp/slash/sql/mysql/upgrades | grep cvs_tag_currentcode UPDATE vars SET value = 'T_2_5_0_190' WHERE name = 'cvs_tag_currentcode'; UPDATE vars SET value = 'T_2_5_0_191' WHERE name = 'cvs_tag_currentcode'; UPDATE vars SET value = 'T_2_5_0_192' WHERE name = 'cvs_tag_currentcode'; UPDATE vars SET value = 'T_2_5_0_193' WHERE name = 'cvs_tag_currentcode'; UPDATE vars SET value = 'T_2_5_0_194' WHERE name = 'cvs_tag_currentcode'; Or just goto http://slashdot.org and view the page's sourcecode. You'll see links w/ the tag that they are using, which is normally pretty close to current: <link rel="stylesheet" type="text/css" media="screen, projection" href="//images.slashdot.org/core-tidied.css?T_2_5_0_194a"> Or http://use.perl.org is another site that's kept relatively close to current I believe. I think the reason why you see people asking for a point-release is because the point-release would typically have included in it a scripted-method to upgrade from prior version(s). So, while people want the additional functionality of the current version (css, media in stories, audio stories, tags, firehose, discussion2, etc) they are not willing to go through the upgrade process as it currently is. Which is "follow these directions - which is basically apply these changes by hand in the order they are in in this file" and that's about it. The process does work (Lord knows I've done it enough times) but it's time consuming, and with a site/server that's well-modded or not well-kept-up it can be rather difficult to upgrade. (Though, let me be clear, that's _not_ any fault of the upgrade process, as it is, nor if it were automated). Also, the point release would have to have some serious testing and what-not done to it before it could be released. This takes time, and manpower. It also means someone's goto to go back through the bugs that are on slash's sourceforge page and http://sourceforge.net/projects/slashcode/ and make sure the ones that were accepted were fixed and the code's in, others may not have been accepted but should've, or maybe not, and those pesky feature requests too, should any of those try to be taken care of before the point release and if so who's gonna be tasked with each one? All of that takes time, energy and person-power. So who's volunteering do some of the work needed for a point release and what part are you going to volunteer to do? :) Shane |
|
From: Larson, T. E. <TEL...@we...> - 2008-02-13 19:54:02
|
William Scott Lockwood III <> wrote:
> Ever?
I think the idea for a long time now has been that you can always pull
the most recent stable tag from public CVS, so why do you need a
tarball?
A quarterly(?) notice (on this list and the site) as to what that tag is
would be nice, though.
Tim
--
Tim Larson AMT2 Unix Systems Administrator
InterCall, a division of West Corporation
Eschew obfuscation!
|
|
From: Jim F. <hea...@ya...> - 2008-02-13 19:39:12
|
Do you guys accept donations for getting things done? I see the sourceforge ads about the new service, and I'd like a bunch of slash work done, but I don't even know where to start.... I don't have time to geek out with the code these days, although I'd like to run a slashcode version that was stripped down so that even AOL users can understand it (ha.) - Jim Jamie McCarthy <ja...@mc...> wrote: pen...@ho... (Penang A1) writes: >Is there going to be a new slashcode release at sourceforge any >time soon ? No, we have no plans to bundle Slash for a new tarball release. -- Jamie McCarthy http://mccarthy.vg/ ja...@mc... ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Slashcode-general mailing list Sla...@li... https://lists.sourceforge.net/lists/listinfo/slashcode-general |
|
From: William S. L. I. <sc...@gu...> - 2008-02-13 19:36:16
|
Ever? -----Original Message----- From: Jamie McCarthy <ja...@mc...> To: Penang A1 <pen...@ho...>, sla...@li... Subject: Re: [Slashcode-general] Will there be a new slashcode release at sourceforge ? Date: Wed, 13 Feb 2008 14:11:39 -0500 pen...@ho... (Penang A1) writes: >Is there going to be a new slashcode release at sourceforge any >time soon ? No, we have no plans to bundle Slash for a new tarball release. -- William Scott Lockwood III <sc...@gu...> LRSE Hosting |
|
From: Jamie M. <ja...@mc...> - 2008-02-13 19:11:46
|
pen...@ho... (Penang A1) writes: >Is there going to be a new slashcode release at sourceforge any >time soon ? No, we have no plans to bundle Slash for a new tarball release. -- Jamie McCarthy http://mccarthy.vg/ ja...@mc... |
|
From: Penang A1 <pen...@ho...> - 2008-01-14 05:40:26
|
Many thanks for the patch release. However, upon checking the sourceforge site for slashcode, I noticed that there hasn't been any new release since 2006 (for Bundle Slash 2.52) and 2002 (for slashcode 2.2.6) Is there going to be a new slashcode release at sourceforge any time soon ? Thanks again ! _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ |
|
From: Jamie M. <ja...@mc...> - 2008-01-07 23:33:00
|
On Friday, January 4, 2008, a serious security vulnerability was discovered, and an exploit demonstrated, in the then-current version of Slash. The vulnerability was an SQL injection. Its effect was to allow a user with no special authorization to read any information from any table the Slash site's mysql user was authorized to read (which may include other databases, including information_schema). This vulnerability has been present in Slash for years. We are not going to list which specific versions of Slash are vulnerable, because as far as we know, they all are. Fortunately for those of you who are not running near-current CVS, the patch is easy to apply to all versions of Slash. The Slash programming team would like to thank blackybr, of the Russian web-security portal site forum.antichat.ru, for bringing this to our attention in a responsible manner. The ability of an attacker to read the users table is why we urged Slash sites on Friday to change their admins' passwords. Whether the threat rises to the level of requiring all your users to change their passwords, we leave up to site administrators. Mitigating factors include: * We are not aware of this attack actually having been used. Of course, since we are providing full information today, every Slash site administrator should assume that attackers are now actively trying to penetrate your site using this information. * Passwords are MD5'd in the users table, so an attacker does not learn them directly. (It is of course likely that one or more of your users has an MD5 that shows up in a dictionary hash table, and/or than an attacker can brute-force the hashes offline.) * If your site is running MySQL 4.0 or earlier, we do not know of any way that significant data could be retrieved. SQL injections on MySQL do not allow for multiple queries in the default configuration, so the way to retrieve data is to inject an ANDed subquery into a WHERE clause known to be true and see whether the expected data is successfully returned. This tells the attacker one bit of information, for example, whether ASCII(SUBSTRING((SELECT x =46ROM y WHERE z), 1, 1)) > 90. Absent subqueries, which were added in MySQL 4.1, only data from the main query's table can be retrieved. In this case, the only known exploitable table is journals, from which not much interesting can be learned. * As far as we know, numerous requests in this fashion are required to obtain each byte of data. On the order of 100 requests are needed to obtain a user password. You may be able to scan your site's web logs to see if you can locate multiple suspicious-looking requests, especially to journal.pl. The word "select" in a query string would be a giveaway. One of the first things that an attacker would likely do is to obtain an administrator's password. Since Slash keeps permanent records of all administrator accesses, you may wish to scan that log for unexpected and possibly unauthorized logins. For example: mysql> SELECT uid, host_addr, MIN(ts), MAX(ts), COUNT(*) FROM accesslog_admin WHERE ts >=3D '2007-12-01 00:00:00' GROUP BY uid, host_addr; Today, I have committed two more fields in the $form hashref to be run through filter_params. They are content_type, for which I could find no vulnerabilities, and userfield, for which a XSS vulnerability (less serious than blackybr's) was found. We therefore again urge Slash site administrators to either update to the latest version in CVS, or to manually add those two fields to the alphanumeric $form field filtering done in Environment.pm, as follows: diff -U3 -r1.224 -r1.225 --- Slash/Utility/Environment/Environment.pm 4 Jan 2008 19:14:07 -0000 = 1.224 +++ Slash/Utility/Environment/Environment.pm 7 Jan 2008 21:30:09 -0000 = 1.225 @@ -1856,8 +1856,8 @@ # fields that have ONLY a-zA-Z0-9_ my %alphas =3D map {($_ =3D> 1)} qw( - fieldname formkey commentstatus filter - hcanswer mode op section thisname type reskey + content_type fieldname formkey commentstatus filter + hcanswer mode op section thisname type reskey userfield comments_control ), # Survey Again, this is in addition to the patch mentioned on Friday, which added id. As a personal note: none of us who work on Slash are very pleased with this, of course. The last time we made this kind of announcment was just over three years ago, which, while long, is not long enough. We regret the oversight, and we will be taking additional steps in the coming weeks to make similar types of vulnerability both less likely and less serious. Please feel free to post any questions on this slashcode.com story, or to email me with private concerns at ja...@sl.... To notify us of additional security issues we may not be aware of, please email sec...@sl.... This email is a copy of the text posted to slashcode.com at <http://www.slashcode.com/article.pl?sid=3D08/01/07/2314232>. Public comments are welcome both on this list and on the website. We post to slashcode.com infrequently, and when we do it's usually important. We recommend all site admins subscribe to its newsletter. Please go to <http://www.slashcode.com/my/messages> and make sure "Daily Newsletter" is set to "E-mail." --=20 Jamie McCarthy http://mccarthy.vg/ ja...@mc... |
|
From: Jamie M. <ja...@mc...> - 2008-01-04 19:59:24
|
Whatever version of Slash you are running, please add 'id' to the list of numeric filtered parameters. This list can be found in the filter_params subroutine in Environment.pm. If you are on near-current code, you can just update to current code, it's in CVS. The (extremely simple) diff is here: <http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environ= ment/Environment.pm?r1=3D1.223&r2=3D1.224> diff -U3 -r1.223 -r1.224 --- Slash/Utility/Environment/Environment.pm 24 Oct 2007=20 21:19:34 -0000 1.223 +++ Slash/Utility/Environment/Environment.pm 4 Jan 2008=20 19:14:07 -0000 1.224 @@ -1823,7 +1823,7 @@ # fields that are numeric only my %nums =3D map {($_ =3D> 1)} qw( - approved artcount art_offset bseclev + approved artcount art_offset bseclev id buymore cid clbig clsmall cm_offset commentlimit commentsort commentspill del displaystatus limit You should also change the passwords for all your admin user accounts. We are working on a more complete writeup of this issue. That information will be posted to this mailing list on Monday morning, Jan. 7. It will also be posted to this slashcode.com story: http://www.slashcode.com/article.pl?sid=3D08/01/04/1950244 We post to slashcode.com infrequently, and when we do it's usually important. We recommend all site admins subscribe to its newsletter. Please go to <http://www.slashcode.com/my/messages> and make sure "Daily Newsletter" is set to "E-mail." --=20 Jamie McCarthy http://mccarthy.vg/ ja...@mc... |
19 messages has been excluded from this view by a project administrator.
