On Fri, 2015-01-30 at 23:25 -0800, Jonathan S. Shapiro wrote: > All: > > I've been silent on the list for the last three (or so) weeks, and I > thought it might be polite to say why. > > Every so often I decide to resume or initiate a major project. Whenever I > do, I think to myself: "Wouldn't it be nice to be able to engage the > community of people who share these interests in a more interactive way? It > would really help to have a mechanism to accept and incorporate comments, > engage in discussions, and curate the results. Down the road it would be > nice to capture the opinions and experience of the community good and bad." > Every time this comes up I look into the state of CMS software. The > proximate cause this time was that I wanted to develop the next draft > specification for BitC publicly in such a way that all of you might > contribute comments, critiques, and annotations. > > BitC cannot succeed as an *n*-man show for small *n*, and certainly not for > *n*==1*.* If we are going to build an ecosystem, we need a persistent place > for ddebate, discussion, [dis]agreement, convergence, and curation. Mailing > lists work well when the discussion is "alive", but they don't provide a > way to curate and summarize conclusions in actionable form. > > I have spent the last three weeks bringing up test deployments of > Wordpress, Joomla, and Drupal. All three have improved dramatically since > my last look. All three suffer from inadequate architectural coherence. All > three suffer from security concerns as a consequence. It appears to me that > it is now possible to put up an interactive website with a tolerable > investment of administrative effort. It now appears plausible that Drupal > can do the job, and can be deployed without substantially greater risk than > the existing portfolio of Mailman+OSDoc. I've even found a few themes that, > with minor modification, don't suck. :-) > > The main threats to a content management system are penetration and spam. > When plugins are chosen judiciously, the risk of penetration seems > manageable. Spam is endemic, and I simply don't have time to deal with that > by hand. Passwords are now a lost cause from the standpoint of brute force > attacks in any case, so here is my notional plan. > > I propose to set up a site having three roles: > > 1. Readers, who do not require authentication. Readers cannot comment. > 2. Community: Those who participate in forums (discussions) and may > comment on documents. Requires authentication. > 3. Participants: Those who have an active role in the project, either as > authors, as curators, or as code contributors. > > If you're on the mailing list, you'd fall under "contributors", but I'm > very hopeful that many of you will seek to be more active "participants". > > Because of the "comment spam" issue, and the problem of brute-force attack, > I have in mind to require two-factor authentication using Google > Authenticator. GA is a time-based one-time pad. On login, you enter your > user name, password, and one-time number provided by an app running on your > phone, ipad, or desktop. This eliminates password phishing sorts of attacks > at the risk of requiring a smart phone or a tablet device (or a PC). In my > opinion, it's a relatively mild pain in the butt at login time in exchange > for a pretty effective defense against brute-force attack and spam. To be > honest, I'm not sure that the actual password serves any useful purpose. :-)
Shap, I haven't a smartphone, and I refuse to get one. So expect my absence on the forum until there in another way to login. > My initial plan is to bring up the drupal site at bitc-lang.org, migrating > the legacy content into a sub-tree. Once this is complete, the mailing > lists should be frozen for archival purposes and discussion should move to > the forums. > > I apologize in advance for the inconvenience of two-factor authentication. > Other sites have been overrun, and I'd rather spend my time on BitC than on > site administration. My suggestion is to log in once with TFA and keep a > window open. That way you won't be prompted. My personal experience with > Google Authenticator has been more palatable than I expected > > If Google Authenticator won't work for you, I would very much like to know > ASAP! > > > shap > _______________________________________________ > bitc-dev mailing list > [email protected] > http://www.coyotos.org/mailman/listinfo/bitc-dev _______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
