[fossil-users] [date] in ticket templates
Hi, I'm just starting out in using Fossil. We're mostly interested in the issue tracking system. I'm making some initial configuration to suit our needs. A question: In the Edit Ticket template, there is some code: set ctxt $ctxt added on [date] UTC:/ibr /\n$cmappnd append_field comment $ctxt This produces some text: BobSmith added on 08:00:00 17/5/2012 UTC: whenever someone adds a comment to a ticket. Is there a way to make [date] give local time instead of UTC? I've turned on the setting for show local time on the server settings, so it would be confusing to have a mix of local and UTC times. For now, I've simply removed that code, so people have to go to history to see the timestamp of comments. But it would be handy to have the original functionality, with local time. Thanks, zchen ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] 2nd Call For Papers, 19th Annual Tcl/Tk Conference 2012
[[ Notes: Colin Walker of F5 is confirmed as our Keynote speaker. http://www.f5.com ]] 19th Annual Tcl/Tk Conference (Tcl'2012) http://www.tcl.tk/community/tcl2012/ November 12 - 16, 2012 Holiday Inn Chicago Mart Plaza 350 West Mart Center Drive Chicago, Illinois, USA Important Dates: Abstracts and proposals due August27, 2012 Notification to authors September 10, 2012 WIP and BOF reservations open August 6, 2012 Author materials due October 29, 2012 Tutorials Start November 12, 2012 Conference starts November 14, 2012 Email Contact:tclconfere...@googlegroups.com Submission of Summaries Tcl/Tk 2012 will be held in Chicago, Illinois, USA from November 12 - 16, 2012. The program committee is asking for papers and presentation proposals from anyone using or developing with Tcl/Tk (and extensions). Past conferences have seen submissions covering a wide variety of topics including: * Scientific and engineering applications * Industrial controls * Distributed applications and Network Managment * Object oriented extensions to Tcl/Tk * New widgets for Tk * Simulation and application steering with Tcl/Tk * Tcl/Tk-centric operating environments * Tcl/Tk on small and embedded devices * Medical applications and visualization * Use of different programming paradigms in Tcl/Tk and proposals for new directions. * New areas of exploration for the Tcl/Tk language Submissions should consist of an abstract of about 100 words and a summary of not more than two pages, and should be sent as plain text to tclconference AT googlegroups DOT com no later than August 27, 2012. Authors of accepted abstracts will have until October 29, 2012 to submit their final paper for the inclusion in the conference proceedings. The proceedings will be made available on digital media, so extra materials such as presentation slides, code examples, code for extensions etc. are encouraged. Printed proceedings will be produced as an on-demand book at lulu.com The authors will have 25 minutes to present their paper at the conference. The program committee will review and evaluate papers according to the following criteria: * Quantity and quality of novel content * Relevance and interest to the Tcl/Tk community * Suitability of content for presentation at the conference Proposals may report on commercial or non-commercial systems, but those with only blatant marketing content will not be accepted. Application and experience papers need to strike a balance between background on the application domain and the relevance of Tcl/Tk to the application. Application and experience papers should clearly explain how the application or experience illustrates a novel use of Tcl/Tk, and what lessons the Tcl/Tk community can derive from the application or experience to apply to their own development efforts. Papers accompanied by non-disclosure agreements will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U. S. Copyright Act of 1976. The primary author for each accepted paper will receive registration to the Technical Sessions portion of the conference at a reduced rate. Other Forms of Participation The program committee also welcomes proposals for panel discussions of up to 90 minutes. Proposals should include a list of confirmed panelists, a title and format, and a panel description with position statements from each panelist. Panels should have no more than four speakers, including the panel moderator, and should allow time for substantial interaction with attendees. Panels are not presentations of related research papers. Slots for Works-in-Progress (WIP) presentations and Birds-of-a-Feather sessions (BOFs) are available on a first-come, first-served basis starting in August 6, 2012. Specific instructions for reserving WIP and BOF time slots will be provided in the registration information available in June 2012. Some WIP and BOF time slots will be held open for on-site reservation. All attendees with an interesting work in progress should consider reserving a WIP slot. Registration Information More information on the conference is available the conference Web site (http://www.tcl.tk/community/tcl2012/) and will be published on various Tcl/Tk-related information channels. To keep in touch with news regarding the conference and Tcl events in general, subscribe to the tcl-announce list. See: http://code.activestate.com/lists/tcl-announce to subscribe to the tcl-announce mailing list. Conference Committee Clif Flynt Noumena CorpGeneral Chair, Website Admin Andreas Kupries ActiveState Software Inc. Program Chair Cyndy Lilagan Nat. Museum of Health Medicine, Chicago Site/Facilities Chair Arjen MarkusDeltares Brian
Re: [fossil-users] Markdown engine integrated into fossil
On Thu, May 24, 2012 at 1:51 AM, Natacha Porté nata...@instinctive.eu wrote: If you don't mind, I'd rather have it not named at all. Due to how it's (still) heavily loaded with negative emotions, I would like not having to interact with the original project or its repository. And a name change at this level does involve quite a lot of interaction. In the open source community, people frequently start forks of other projects and develop them independantly under new names. A recent example of a high profile project is LibreOffice, which is a fork of OpenOffice. Thank you for your good work. And sorry that you got caught up in this controversy. You are in good company. History has many people who created great works that had unfortunate names. (I decline to name any as that is potentially another debate.) ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Markdown engine integrated into fossil
On Wed, May 30, 2012 at 1:24 PM, Ron Wilson ronw.m...@gmail.com wrote: On Thu, May 24, 2012 at 1:51 AM, Natacha Porté nata...@instinctive.eu wrote: If you don't mind, I'd rather have it not named at all. Due to how it's (still) heavily loaded with negative emotions, I would like not having to interact with the original project or its repository. And a name change at this level does involve quite a lot of interaction. In the open source community, people frequently start forks of other projects and develop them independantly under new names. A recent example of a high profile project is LibreOffice, which is a fork of OpenOffice. Thank you for your good work. And sorry that you got caught up in this controversy. You are in good company. History has many people who created great works that had unfortunate names. (I decline to name any as that is potentially another debate.) I also would like to thank Natacha for her great contribution and hope that as time goes by she might revisit her relationship with the original project. Unfortunately, human reaction to certain things like project naming could be unpredictable and sometimes destructive. Hopefully all the involved can get over it. --Leo-- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Markdown engine integrated into fossil
Hello, on Wednesday 23 May 2012 at 15:26, Richard Hipp wrote: Nevertheless, though attached by fraud, the name is still inappropriate, and must be changed before being added to Fossil. Thanks to some invaluable help, I finally managed to get it done (I think). My markdown C library shall henceforth be known as libsoldout. Name chosen in the same theme as markdown and discount, as one of the possible aims (and the one I know best of) of real-life markdowns and discounts, to make room for the new collection. The new repository is available at http://fossil.instinctive.eu/libsoldout/home and unless I misconfigured something, old links should be automatically redirecting to valid equivalents in the new repository. As far as I know, all the unfortunate references have been purged from the code. If there is any traces still lingering, please inform me and I will deal with them as promptly as I can. I have not changed anything in the proposed integration into fossil ( http://fossil.instinctive.eu/fossil-scm/timeline?r=markdown ) since there was no reference whatsoever to the original project in the first place. Known traces still lingering are: + the history of the project, but I'm strongly against rewriting history in general, and I don't believe this case is extreme enough to warrant a breach in the principle; + the static archives of v1.1 of the library, linked from http://fossil.instinctive.eu/ which will be replaced when I release v1.2 (which has just entered beta), probably in one or two weeks; + the reference to a fork in the home page, but since the it's the name of the fork I have no control upon it. That fork should probably not be mentioned at all, it will be removed in the next overhaul of the page, leaving only a reference to sundown, probably within a few weeks too. I there anything else I should do? Thanks for your attention, Natacha Porté pgpYHrEpDb7eo.pgp Description: PGP signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
On Wed, May 30, 2012 at 6:03 PM, Thomas Stover c...@thomasstover.com wrote: I like the GoAccess www log analyzer which like many others uses the common log format. I think I'm going all in with xinet.d + stunnel + althttpd for now, so I applied the following rough edge hack in diff format below. Perhaps it will be of use to someone else. http://goaccess.prosoftcorp.com/ http://en.wikipedia.org/wiki/Common_Log_Format Can you send the output of diff -u please? I can't quite figure out how to apply the diff below. 207a208,212 #ifdef COMMON_LOG_FORMAT fprintf(log, %s - - [%s +] \GET %s HTTP/1.0\ %d %d \%s\ \%s\, zRemoteAddr, zDate, zScript, zReplyStatus, nOut, zReferer, zAgent); #else 216,217c221,222 nRequest, zAgent, zRM ); --- nRequest, zAgent, zRM); #endif -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
On Wed, 30 May 2012 18:14:54 -0400 Richard Hipp wrote: Can you send the output of diff -u please? I can't quite figure out how to apply the diff below. See if that works. Admittedly I never use diff. --- src/althttpd.c 2011-12-28 15:42:28.0 -0500 +++ althttpd.c 2012-05-30 17:49:59.0 -0400 @@ -205,6 +205,11 @@ rScale = 1.0/(double)sysconf(_SC_CLK_TCK); chdir((zRoot zRoot[0]) ? zRoot : /); if( (log = fopen(zLogFile,a))!=0 ){ +#ifdef COMMON_LOG_FORMAT + fprintf(log, %s - - [%s +] \GET %s HTTP/1.0\ %d %d \%s\ \%s\, + zRemoteAddr, zDate, zScript, zReplyStatus, nOut, zReferer, zAgent); + +#else fprintf(log, %s %s %s://%s%s %s %s %d %d %g %g %g %g %d %d %s %s\n, zDate, zRemoteAddr, zHttp, zHttpHost, zScript, zReferer, zReplyStatus, nIn, nOut, @@ -213,8 +218,8 @@ rScale*sTms.tms_cutime, rScale*sTms.tms_cstime, (int)(now - beginTime), - nRequest, zAgent, zRM - ); + nRequest, zAgent, zRM); +#endif fclose(log); nIn = nOut = 0; } -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Markdown engine integrated into fossil
On 05/30/2012 02:28 PM, Natacha Porté wrote: Hello, on Wednesday 23 May 2012 at 15:26, Richard Hipp wrote: Nevertheless, though attached by fraud, the name is still inappropriate, and must be changed before being added to Fossil. Thanks to some invaluable help, I finally managed to get it done (I think). My markdown C library shall henceforth be known as libsoldout. Name chosen in the same theme as markdown and discount, as one of the possible aims (and the one I know best of) of real-life markdowns and discounts, to make room for the new collection. Hey Natacha, Thanks so much for leading the fork of this project! I followed, with some dismay, the news when the whole project name thing blew up a few years ago. I hoped someone would just do the right thing (i.e. forking it, what you've done now) to put that kind of unpleasantness in its place. So I'm happy to see it's finally been done. Now, if only someone would do the same with the GIMP..;) Steve The new repository is available at http://fossil.instinctive.eu/libsoldout/home and unless I misconfigured something, old links should be automatically redirecting to valid equivalents in the new repository. As far as I know, all the unfortunate references have been purged from the code. If there is any traces still lingering, please inform me and I will deal with them as promptly as I can. I have not changed anything in the proposed integration into fossil ( http://fossil.instinctive.eu/fossil-scm/timeline?r=markdown ) since there was no reference whatsoever to the original project in the first place. Known traces still lingering are: + the history of the project, but I'm strongly against rewriting history in general, and I don't believe this case is extreme enough to warrant a breach in the principle; + the static archives of v1.1 of the library, linked from http://fossil.instinctive.eu/ which will be replaced when I release v1.2 (which has just entered beta), probably in one or two weeks; + the reference to a fork in the home page, but since the it's the name of the fork I have no control upon it. That fork should probably not be mentioned at all, it will be removed in the next overhaul of the page, leaving only a reference to sundown, probably within a few weeks too. I there anything else I should do? Thanks for your attention, Natacha Porté ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
On Wed, May 30, 2012 at 6:52 PM, Thomas Stover c...@thomasstover.com wrote: On Wed, 30 May 2012 18:14:54 -0400 Richard Hipp wrote: Can you send the output of diff -u please? I can't quite figure out how to apply the diff below. See if that works. Admittedly I never use diff. The new diff is much better. Thanks. But now I see that the patch is not quite right: (1) You always use GET instead of the value in the zMethod variable (2) You always use HTTP/1.0 instead of the value in zProtocol (3) The date format is wrong (4) You append two extra fields not mentioned in the wikipedia documentation on the Common Log Format That's all I see at the moment. Maybe fix those thing and send me a new diff and we'll try again? --- src/althttpd.c 2011-12-28 15:42:28.0 -0500 +++ althttpd.c 2012-05-30 17:49:59.0 -0400 @@ -205,6 +205,11 @@ rScale = 1.0/(double)sysconf(_SC_CLK_TCK); chdir((zRoot zRoot[0]) ? zRoot : /); if( (log = fopen(zLogFile,a))!=0 ){ +#ifdef COMMON_LOG_FORMAT + fprintf(log, %s - - [%s +] \GET %s HTTP/1.0\ %d %d \%s\ \%s\, + zRemoteAddr, zDate, zScript, zReplyStatus, nOut, zReferer, zAgent); + +#else fprintf(log, %s %s %s://%s%s %s %s %d %d %g %g %g %g %d %d %s %s\n, zDate, zRemoteAddr, zHttp, zHttpHost, zScript, zReferer, zReplyStatus, nIn, nOut, @@ -213,8 +218,8 @@ rScale*sTms.tms_cutime, rScale*sTms.tms_cstime, (int)(now - beginTime), - nRequest, zAgent, zRM - ); + nRequest, zAgent, zRM); +#endif fclose(log); nIn = nOut = 0; } -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
On Wed, May 30, 2012 at 08:09:54PM -0400, Richard Hipp wrote: On Wed, May 30, 2012 at 6:52 PM, Thomas Stover c...@thomasstover.com wrote: On Wed, 30 May 2012 18:14:54 -0400 Richard Hipp wrote: Can you send the output of diff -u please? I can't quite figure out how to apply the diff below. See if that works. Admittedly I never use diff. The new diff is much better. Thanks. But now I see that the patch is not quite right: (1) You always use GET instead of the value in the zMethod variable (2) You always use HTTP/1.0 instead of the value in zProtocol (3) The date format is wrong (4) You append two extra fields not mentioned in the wikipedia documentation on the Common Log Format The diff is actually for what apache calls the combined log format which includes the referer and user-agent at the end. That's all I see at the moment. Maybe fix those thing and send me a new diff and we'll try again? --- src/althttpd.c 2011-12-28 15:42:28.0 -0500 +++ althttpd.c 2012-05-30 17:49:59.0 -0400 @@ -205,6 +205,11 @@ rScale = 1.0/(double)sysconf(_SC_CLK_TCK); chdir((zRoot zRoot[0]) ? zRoot : /); if( (log = fopen(zLogFile,a))!=0 ){ +#ifdef COMMON_LOG_FORMAT + fprintf(log, %s - - [%s +] \GET %s HTTP/1.0\ %d %d \%s\ \%s\, + zRemoteAddr, zDate, zScript, zReplyStatus, nOut, zReferer, zAgent); + +#else fprintf(log, %s %s %s://%s%s %s %s %d %d %g %g %g %g %d %d %s %s\n, zDate, zRemoteAddr, zHttp, zHttpHost, zScript, zReferer, zReplyStatus, nIn, nOut, @@ -213,8 +218,8 @@ rScale*sTms.tms_cutime, rScale*sTms.tms_cstime, (int)(now - beginTime), - nRequest, zAgent, zRM - ); + nRequest, zAgent, zRM); +#endif fclose(log); nIn = nOut = 0; } -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- James Turner ja...@calminferno.net ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
On Wed, 30 May 2012 20:19:55 -0400 James Turner wrote: On Wed, May 30, 2012 at 08:09:54PM -0400, Richard Hipp wrote: But now I see that the patch is not quite right: it is also missing a \n (1) You always use GET instead of the value in the zMethod variable (2) You always use HTTP/1.0 instead of the value in zProtocol will fix (3) The date format is wrong just use TZ's locale? (4) You append two extra fields not mentioned in the wikipedia documentation on the Common Log Format The diff is actually for what apache calls the combined log format which includes the referer and user-agent at the end. All I was doing was just trying to imitate the log format of boa, which I knew was working for my purposes. I had wondered about the discrepancy though. http://www.boa.org/ I'll iron it out, just after I figure out why it wont work with some of my jpg files... --- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Security of Fossil
Hi, just getting started with Fossil. We're using it mostly for the issue tracker. I'm not very familiar with networking/security in an organisation, so hopefully someone can give me some advice. I've done a search through the mailing list archives for security, login attempts, login lock, without much success. At the moment I've just got it naively running on an Windows Server 2008 machine, using fossil server MyRepoName. I've opened our windows firewall to port 8080. At the moment the machine is only accessible via LAN, but we're considering opening up the machine to the internet by forwarding port 8080 from a modem/router. The stuff we're putting on fossil isn't particularly important so we're not too concerned about people intercepting communications (thus we're not investigating SSH), but we are concerned about vandalism, people accessing other things on our network, people messing with the server machine, etc. - Are there any other precautions I should be taking to make things safer? - Is Fossil safe to run exposed to the internet like that? (or should we consider hosting it externally, for example) - By default, there doesn't seem to be a feature to stop brute-force attacks on passwords, like a max-number-of-invalid-logins thing. Are there ways to protect our user accounts from such attacks? - It would also be good to be able to limit Administrator access to only the local PC or local LAN, is there a way to do this? Thanks, zchen ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Security of Fossil
On Thu, 31 May 2012 12:00:48 +1000 Chen, Zon wrote: - By default, there doesn't seem to be a feature to stop brute-force attacks on passwords, like a max-number-of-invalid-logins thing. Are there ways to protect our user accounts from such attacks? TLS/SSL (https) is the first step towards protecting password security in all matters www. Even though this would be on top of the measures fossil is taking to not send a password in clear text over the wire. I think stunnel works on windows. Good question about the max number of login attempts. - It would also be good to be able to limit Administrator access to only the local PC or local LAN, is there a way to do this? You mean the administration of the fossil project right? Windows does have file permissions, and the user that fossil is being run as is up to you. Sadly this is so over complicated in windows that it can be hard to say when everything is actually configured correctly. hint - watch those inherited permissions! I'm only half joking when I say it's easier to just learn linux. :) -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Security of Fossil
Thanks Thomas. I'll investigate stunnel. By my second question, I meant Fossil's Administrator account, not that of windows. Assuming that I don't find a solution for people brute-forcing passwords for regular accounts, that's not a big deal. However, if people can brute-force the Fossil Admin account, then that would be a problem. Similarly, if there was a feature where an account would get locked out after 3 incorrect logins, that can't apply to the Admin account, or else we wouldn't be able to unlock, etc. So ideally we want to be able to limit Fossil's Administrator account to only work from the local PC (or better yet, from LAN only.) -Original Message- On Thu, 31 May 2012 12:00:48 +1000 Chen, Zon wrote: - By default, there doesn't seem to be a feature to stop brute-force attacks on passwords, like a max-number-of-invalid-logins thing. Are there ways to protect our user accounts from such attacks? TLS/SSL (https) is the first step towards protecting password security in all matters www. Even though this would be on top of the measures fossil is taking to not send a password in clear text over the wire. I think stunnel works on windows. Good question about the max number of login attempts. - It would also be good to be able to limit Administrator access to only the local PC or local LAN, is there a way to do this? You mean the administration of the fossil project right? Windows does have file permissions, and the user that fossil is being run as is up to you. Sadly this is so over complicated in windows that it can be hard to say when everything is actually configured correctly. hint - watch those inherited permissions! I'm only half joking when I say it's easier to just learn linux. :) -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Example ticket reports
Hi, I'm setting some reports for our Fossil ticket system, but I'm not immediately familiar with SQL. I've been muddling my way through with the SQLLite documentation, but it would be really nice to see/steal some common examples, such as the reports available on the fossil-scm.org. Would it be possible to please make the SQL of the reports used by the fossil project viewable by anonymous users? Or alternatively, if they could be cut-pasted into the wiki. Thanks, zchen ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Security of Fossil
On Thu, 31 May 2012 13:44:52 +1000 Chen, Zon wrote: By my second question, I meant Fossil's Administrator account, not that of windows. Assuming that I don't find a solution for people brute-forcing passwords for regular accounts, that's not a big deal. However, if people can brute-force the Fossil Admin account, then that would be a problem. Similarly, if there was a feature where an account would get locked out after 3 incorrect logins, that can't apply to the Admin account, or else we wouldn't be able to unlock, etc. So ideally we want to be able to limit Fossil's Administrator account to only work from the local PC (or better yet, from LAN only.) ok that makes sense. I do know that you can unlock the admin account by just doing a fossil ui on it locally, which I have done when I have just forgotten the password. I'd like to see what the other answers turn out to be. -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Security of Fossil
Thomas Stover c...@thomasstover.com wrote: On Thu, 31 May 2012 13:44:52 +1000 Chen, Zon wrote: So ideally we want to be able to limit Fossil's Administrator account to only work from the local PC (or better yet, from LAN only.) ok that makes sense. I do know that you can unlock the admin account by just doing a fossil ui on it locally, which I have done when I have just forgotten the password. I'd like to see what the other answers turn out to be. My understanding is that the fossil serve mode is meant more for very lightweight or ad-hoc usage, and it's recommended that you put a server in front of (i.e. - an http server via cgi, or inetd, or some such) fossil for heavier work. Pretty much required if you want consistent access to multiple repositories. Maybe that's wrong for the windows version, or out of date, or I misunderstood something. But because of that, I expect it to punt hardcore security issues to that other server. I just today set up a half-dozen repositories for a client behind lighttpd, using the cgi mode with the recommended fossil script pointed at the directory the repositories reside in. We set remote_user_ok (I think that's it - fossil will log you in as the httpd user name if it has a user by that name). We let the httpd daemon handle auth, and only create users in the repositories we want them to have access to. The downside is we have to create an extra user. The upside is we get a single signon for all our repositories. We didn't create an httpd account for the admin user. This means you can't log in as the admin user at the browser auth point that users normally see. I think you can log in as a user with httpd access, then log into a repository as admin, but that may only work if the user doesn't have access to the repository, or if you log out of fossil first. If you wanted to allow admin access from the LAN as well as localhost, you'd set up the http auth so that admin had an account, but could only log in from the LAN Come to think of it, I did something very similar with svn served by apache. Apache's auth handled restricting access into the repository to members of apache groups. -- Sent from my Android tablet. Please excuse my swyping. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] althttpd.c apache log analyzers
- The diff below implements combined log format used by several popular web traffic analyzers, when the COMBINED_LOG_FORMAT macro is defined. ie gcc althttpd.c -DCOMBINED_LOG_FORMAT -o /usr/local/bin/althttpd - The date should now be in the right format. I think the reason it still worked in the wrong format is the use of the abbreviated textual month in the current locale as part of the format spec which in the strictest sense requires analyzers to just treat that part as opaq text. - Also in this diff is a quick addressing of the CGI POST handling code path's use of a unchecked fopen(), which kept me dead in the water back when I was first starting. - btw for other list archaeologists trying to squash bugs, my problem with .jpg files not loading was because they somehow had the execute flag turned on (digital camera's FAT fs). Remember that althttpd simply looks at that criteria for the CGI code path. - Having to go to named based virtual servers over IP based virtual servers is what finally forced my transition from the boa web server. The althttpd xinetd stunnel combination makes an outstanding strategy for bare-minimum nonsense, low resource usage, and acceptable security risk. --- src/althttpd.c 2011-12-28 15:42:28.0 -0500 +++ althttpd.c 2012-05-31 00:33:05.0 -0400 @@ -200,11 +200,17 @@ if( zAgent==0 || zAgent[0]==0 ) zAgent = *; time(now); pTm = localtime(now); -strftime(zDate, sizeof(zDate), %Y-%m-%d %H:%M:%S, pTm); times(sTms); rScale = 1.0/(double)sysconf(_SC_CLK_TCK); chdir((zRoot zRoot[0]) ? zRoot : /); if( (log = fopen(zLogFile,a))!=0 ){ +#ifdef COMBINED_LOG_FORMAT + strftime(zDate, sizeof(zDate), %d/%b/%Y:%H:%M:%S %z, pTm); + fprintf(log, %s - - [%s] \%s %s %s\ %d %d \%s\ \%s\\n, + zRemoteAddr, zDate, zMethod, zScript, zProtocol, + zReplyStatus, nOut, zReferer, zAgent); +#else + strftime(zDate, sizeof(zDate), %Y-%m-%d %H:%M:%S, pTm); fprintf(log, %s %s %s://%s%s %s %s %d %d %g %g %g %g %d %d %s %s\n, zDate, zRemoteAddr, zHttp, zHttpHost, zScript, zReferer, zReplyStatus, nIn, nOut, @@ -213,8 +219,8 @@ rScale*sTms.tms_cutime, rScale*sTms.tms_cstime, (int)(now - beginTime), - nRequest, zAgent, zRM - ); + nRequest, zAgent, zRM); +#endif fclose(log); nIn = nOut = 0; } @@ -1021,7 +1027,17 @@ sprintf(zTmpNamBuf, /tmp/-post-data-XX); zTmpNam = zTmpNamBuf; mkstemp(zTmpNam); -out = fopen(zTmpNam,w); +if((out = fopen(zTmpNam,w)) == NULL) { + StartResponse(500 Internal Server Error); + nOut += printf( +Content-type: text/html\r\n +\r\n +\nhint: check permissions on /tmp +/body\n); + MakeLogEntry(0); + exit(0); +} + zBuf = SafeMalloc( len ); alarm(15 + len/2000); n = fread(zBuf,1,len,stdin); -- www.thomasstover.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users