xoops forums

vinit

Just can't stay away
Posted on: 2005/1/1 15:12
vinit
vinit (Show more)
Just can't stay away
Posts: 530
Since: 2004/1/10
#31

Re: Xoops On Crack?

smdcon, truely
This will scare off a lot of newbies, but on the other hand if this topic is moved to some corner location, then it would be like taking away right to information.

Thus i vote for it being at same place. Let everyone be aware of whats the situation in hand and what we are doing to sort it out.
Posted on: 2005/1/1 15:34
smdcom
smdcom (Show more)
Posts: 901
Since: 2004/4/27
#32

Re: Xoops On Crack?

lol.. don't get me wrong. i didn't said that close this topic. but what i mean just now, let's core staff discuss this matter in the private place. don't you think if the script kiddie knows about this holes there's a lot of XOOPS site is unsafe from the script kiddie. lol... security should discuss in private place. please don't get me wrong.

JMorris

XOOPS is my life!
Posted on: 2005/1/1 15:54
JMorris
JMorris (Show more)
XOOPS is my life!
Posts: 2722
Since: 2004/4/11
#33

Re: Xoops On Crack?

@smdcom,

I can appreciate your concerns, but I have to disagree. Nobody has specifically mentioned any vulnerable code; only demonstrated it. Script Kiddies could not gleen anymore useful information from this thread than what they can obtain with readily available tools. Trust me, it's not hard to find site hacking tools.

This is an issue that affects every one of the 25,000 members of this site and countless others who use XOOPS and are not members of this site. I for one would be quite upset if this discussion were moved behind closed doors. I have multiple XOOPS based sites that I administer for clients and I want to know the outcome of this thread. Don't you?

As far as scaring people off goes....
There is no such thing as a 100% secure website! All webmasters/programmers must deal with this issue. If this is too much to handle, they don't need to have a website. Regardless of how they design their site (be it CMS or traditional coding) there will be security issues to attend to.

irmtfan

Module Developer
Posted on: 2005/1/1 15:57
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#34

Re: Xoops On Crack?

Quote:

Mithrandir wrote:
Ok, this is getting a bit one-sided. GIJOE is not very visible here, but I am sure he does a tremendous job in the Asian community sites, so it is not the case of a guy just coding, coding and coding and not doing any support work.

Yes he is active in jp sites and support japanese very well.i know it.but how about people in other contries? he do his best to make XOOPS more secure but if he wrote news and support only in jp site this is a fork from xoops.
i think we must find a way to gather some well expert in all contries here at xoops.org and dev site.
btw i have another question from GIJOE:
why you dont open a project at dev.xoops.org for your protector module? IMHO its the best place for everyone want to develope a module and all people can support it with send bugs and features.
Quote:
smdcom wrote:
I hope this thread moved to other place privately. Personally, we should invite japanese xoopsers, developer & GIJOE of course sit together and discuss.

very good idea. why not move it to QA forum?

Herko

XOOPS is my life!
Posted on: 2005/1/1 16:53
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#35

Re: Xoops On Crack?

GIJOE: thanks for that.... thorough demonstration. You made your point. We have installed the protector module on this website.

Now please carefully reread my lengthy reply to your post and answer the following proposals to make the whole XOOPS system better and more secure.

In my reply I invited GIJOE to join the QA team as security expert. I truly think, and the demonstration also shows this, that adding a security dedicated team to the QA team would be a good thing. And I said just that in this QA thread:
Quote:
- Last but definately not least: security.
I also think the QA team should have a few people dedicated and knowledgable about security issues. They should keep an eye out for important reports and issues, and dig into the system to see if XOOPS is vulnerable. The japanese community seems highly competent for this task, maybe some collaboration on this would be great.


So it's not that we disagree on that. There seems to be some miscommunication on how to deal with this then. So let's be practical:

The XOOPS core development has always been directed from here at xoops.org. We use the SF.net project space to manage the XOOPS Core Development so everyone can contribute. This has been communicated from here many times, and permanently as well (see the 'development' block on the left side). I can honestly say I never have recieved special security reports from anyone, which is good, because I am not the lead developer, plus we have Sf.net to facilitate just that. Judging by the number of submissions made by the Japanese community, this is not news to them/you.

So, what I propose is this: we make an effort into merging the Japanese secure fork with 2.0.10 beta, together. This way, the whole XOOPS community will benefot, and the Japanese community will be able to make a large contribution to make the internet a safer place, as well as learn from the skills of the rest of the (non-japanese speaking) community and developers. So we both win.

For this, we use the international/english sf.net site and servers (so not the jp.sourceforge.net ones), so everyone has access to this. We all share what we find among everyone.

Also, I want to strongly invite you and anyone from the whole XOOPS community, to make a security team as part of the Quality Assurance team (and make GIJOE XOOPS's Chief of Security?), so we will have a continuous development and monitor to make and keep XOOPS's security level as high as possible.

That is my offer, please respond.

Herko

Bender

Home away from home
Posted on: 2005/1/1 17:02
Bender
Bender (Show more)
Home away from home
Posts: 1899
Since: 2003/3/10
#36

Re: Xoops On Crack?

[EDIT: originally this post belongs before herkos post in chronological order i just pressed submit quite late ]


Quote:

Bender wrote:
Quote:
Mithrandir wrote:
I would simply love to have some more people working on making the XOOPS core more secure. For both 2.0.x and 2.1/2.2


I think this not going far enough. However need to formulate what i think in some more lines so i will elaborate a little later.


Ok what i meant here was aimed at this:

Quote:
Orlin wrote:As Mithrandir stated on the news, XOOPS seems to be looking for the developers for the current version. At the same time, Japanese developers seem to be serious about leaving XOOPS and making their own one.

So why don't you make the best of Japanese developers' enthusiasm? For instance, you can let the Japanese team alter the current 2.0.x series. And the others focus on the 2.1 series.

Of course, there should be a consensus for the development so as not to make a difference between the current and the future one in their features.[/b]


Two questions:

What about adding more people from the asian area to the core team? (not drawing lines like "you do 2.0.x" and you and "you do 2.1.x" but getting them more involved into the whole thing?

Counterquestion: Who would be interested in joining (from those qualified) because they would most likely have the additional job to channel quite a bunch of information into english language ...


I believe a XOOPS world is better than different forks for different continents/countries/... because at one point they will just run apart so far the modules won´t be compatible anymore which would be a big loss to everyone.

Mithrandir

XOOPS is my life!
Posted on: 2005/1/1 17:07
Mithrandir
Mithrandir (Show more)
XOOPS is my life!
Posts: 6320
Since: 2003/6/21
#37

Re: Xoops On Crack?

Quote:

Bender wrote:
What about adding more people from the asian area to the core team? (not drawing lines like "you do 2.0.x" and you and "you do 2.1.x" but getting them more involved into the whole thing?)
From my point of view, they shall be so very welcome - just say the word and let's figure it out.

Herko

XOOPS is my life!
Posted on: 2005/1/1 17:22
Herko
Herko (Show more)
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1
#38

Re: Xoops On Crack?

Quote:

Mithrandir wrote:
Quote:

Bender wrote:
What about adding more people from the asian area to the core team? (not drawing lines like "you do 2.0.x" and you and "you do 2.1.x" but getting them more involved into the whole thing?)
From my point of view, they shall be so very welcome - just say the word and let's figure it out.


As I see, it, our door has never been intentionally closed for this at all, and it's still open. Like Mith said, please contact us so we can work out the who and how!

Herko
Posted on: 2005/1/1 17:30
smdcom
smdcom (Show more)
Posts: 901
Since: 2004/4/27
#39

Re: Xoops On Crack?

Quote:

Herko Coomans wrote:
to make a security team as part of the Quality Assurance team (and make GIJOE XOOPS's Chief of Security?), so we will have a continuous development and monitor to make and keep XOOPS's security level as high as possible.


As part of the QA Team, i totally agree with this. GIJOE is the right person to be the 1st XOOPS's Chief Of Security.

Bender

Home away from home
Posted on: 2005/1/1 19:07
Bender
Bender (Show more)
Home away from home
Posts: 1899
Since: 2003/3/10
#40

Re: Xoops On Crack?

Quote:
As I see, it, our door has never been intentionally closed for this at all,


I didn´t say so (nor meant to say).

Was more like a testing in to hear what the current core team thinks about enlarging core member numbers.

At this moment i´d guess the ball is in the playground of those "moving between both worlds" to get the qualified and interested people into this.

Hoping the best ...