On Thu, Apr 7, 2022 at 11:52 AM Paul Wise <p...@debian.org> wrote: > On Thu, 2022-04-07 at 11:01 +0200, Oliver Falk wrote: > > > I remember the CGI was disabled quite some time ago, but I have to > > admit, I never had the chance to engage with the right people to see > > how we can fix it. > > To be clear, I'm not the right person, just relaying some info that got > dug up on IRC today when other people noticed the script was broken. >
Thanks for clarifying that - noted! > > I understand the script was added in order to provide additional > > caching, right? > > I think it was mainly for privacy; not sending the avatar image > requests to third-party domains such as libravatar.org. > IMHO, the current solution doesn't really provide more security. Yes, Libravatar doesn't see the client IPs, but that's all. Currently, what happens is that the local CGI script is actually called with the mail address instead of the hash, which I'd see as a bigger issue. Note that Libravatar has a privacy policy in place: https://www.libravatar.org/privacy/ Libravatar is a community driven project with a lot of eyes on it and we're fully committed to stay neutral; Read: We're not going to share or sell data. > > What about if we change this to directly access libravatar.org and > > see if the performance is sufficient? (doesn't address > > federation...). > > That would presumably work, but there is the privacy issue. > I do understand people are concerned about privacy - I am too and that was one of the reasons why I stepped in as the core maintainer when fmarier decided to give up on the project and even added an option to proxy requests to Gravatar instead of redirecting. > > There is a very simple libravatar proxy python script: > > > https://git.linux-kernel.at/oliver/ivatar/-/blob/master/libravatarproxy.py > > Since the Debian BTS is written in Perl I assume the admins prefer it. > Fair point! > > Since I do have some Perl experience as well, if you want to stick > > with Perl, I can also look into the existing CGI and depending on if > > you want or not, also add federation. > > That would be helpful I think. > Without digging much into it (esp. because I don't have the relevant modules + config in place), I'd say the script *should* work; No idea why it's currently throwing a server error. > I also note from looking at the Apache config today that the script > might have already been migrated to mod_perl, but I wasn't sure, so > I'll leave it up to the Debian BTS admins to check and respond and > maybe re-enable execution of the script again. > Thanks for checking! mod_perl should definitely help a bit to speed things up, but currently it looks like there is some error and not like someone disabled the script, but I have no insights of course. Cheers, Oliver
