All: I've been silent on the list for the last three (or so) weeks, and I thought it might be polite to say why.
Every so often I decide to resume or initiate a major project. Whenever I do, I think to myself: "Wouldn't it be nice to be able to engage the community of people who share these interests in a more interactive way? It would really help to have a mechanism to accept and incorporate comments, engage in discussions, and curate the results. Down the road it would be nice to capture the opinions and experience of the community good and bad." Every time this comes up I look into the state of CMS software. The proximate cause this time was that I wanted to develop the next draft specification for BitC publicly in such a way that all of you might contribute comments, critiques, and annotations. BitC cannot succeed as an *n*-man show for small *n*, and certainly not for *n*==1*.* If we are going to build an ecosystem, we need a persistent place for ddebate, discussion, [dis]agreement, convergence, and curation. Mailing lists work well when the discussion is "alive", but they don't provide a way to curate and summarize conclusions in actionable form. I have spent the last three weeks bringing up test deployments of Wordpress, Joomla, and Drupal. All three have improved dramatically since my last look. All three suffer from inadequate architectural coherence. All three suffer from security concerns as a consequence. It appears to me that it is now possible to put up an interactive website with a tolerable investment of administrative effort. It now appears plausible that Drupal can do the job, and can be deployed without substantially greater risk than the existing portfolio of Mailman+OSDoc. I've even found a few themes that, with minor modification, don't suck. :-) The main threats to a content management system are penetration and spam. When plugins are chosen judiciously, the risk of penetration seems manageable. Spam is endemic, and I simply don't have time to deal with that by hand. Passwords are now a lost cause from the standpoint of brute force attacks in any case, so here is my notional plan. I propose to set up a site having three roles: 1. Readers, who do not require authentication. Readers cannot comment. 2. Community: Those who participate in forums (discussions) and may comment on documents. Requires authentication. 3. Participants: Those who have an active role in the project, either as authors, as curators, or as code contributors. If you're on the mailing list, you'd fall under "contributors", but I'm very hopeful that many of you will seek to be more active "participants". Because of the "comment spam" issue, and the problem of brute-force attack, I have in mind to require two-factor authentication using Google Authenticator. GA is a time-based one-time pad. On login, you enter your user name, password, and one-time number provided by an app running on your phone, ipad, or desktop. This eliminates password phishing sorts of attacks at the risk of requiring a smart phone or a tablet device (or a PC). In my opinion, it's a relatively mild pain in the butt at login time in exchange for a pretty effective defense against brute-force attack and spam. To be honest, I'm not sure that the actual password serves any useful purpose. :-) My initial plan is to bring up the drupal site at bitc-lang.org, migrating the legacy content into a sub-tree. Once this is complete, the mailing lists should be frozen for archival purposes and discussion should move to the forums. I apologize in advance for the inconvenience of two-factor authentication. Other sites have been overrun, and I'd rather spend my time on BitC than on site administration. My suggestion is to log in once with TFA and keep a window open. That way you won't be prompted. My personal experience with Google Authenticator has been more palatable than I expected If Google Authenticator won't work for you, I would very much like to know ASAP! shap
_______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
