On Sat, 26 Feb 2011, Dirk Stöcker wrote:

 2. what parts of JOSM will not work as long as the server is down?

Every automatism (update-list, plugins-list, style-list, help and start page), and Yahoo download. For all of these users would need to do the manual way - download and install :-) The same as when using JOSM offline.

To make it clearer:

JOSM accesses following server values:
/plugins
  * collected list of plugins and their meta information
/plugin-icons.zip
  * collected list of plugin icons to make plugin table nicer
/styles
  * collected list of external styles to be used for installation
/presets
  * collected list of external presets to be used for installation

- StartupPage and Help as well as their translations for display
- Yahoo-WMS-Access-script

None of these are criticial infrastructure and all pass through certain layers of security checks, so malcontent must be carefully crafted. The easiest is to write a dangerous plugin (due to bugs in older versions you can produce exceptions (e.g. NPE) with crafted styles/presets as well).

Attacking through the web-services itself is much more complicated, as you need to trick Trac as well as the JOSM server checks and JOSM itself. Yes, it is possible, but even if I spend my whole days checking and fixing holes I can't prevent it.

Since the time we accessed the web-pages directly to extract information, there have been many improvements and the newest changes again reduce the influence of external hosted contents. It is much easier to have plugins in OSM-SVN than to develop them external, so nearly all of them are in OSM-SVN, where we can have a look at. Now we created a system, which makes adding styles/presets in the wiki much easier than handling them externally, so the number of externally managed content will decrease over time and it is easier to have a look at that stuff.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev

Reply via email to