Re: [pydotorg-www] Repeated outages of python.org
>> While having documentation of the setup is essential, I don't think >> making that documentation available outside the group of >> administrators is a good thing to do. Martin> I disagree. Administrators tend to forget where the information Martin> is stored, and how to access it; they are also uncertain as to Martin> whether certain aspects are documented at all. Giving Google Martin> access to this information (or any other search engine) Martin> simplifies maintenance. I agree with Martin. I do very little actual maintenance, only of the SpamBayes setup on mail.python.org. That's about all I can ever remember how to do. Heaven help you, for instance, if you ever need me to update someone's ssh pub key. :-) At the very least, if I am the last resort available, I know I can poke around the wiki to figure that out. A compromise might be to use Google docs to share this information between just the admins. Or create a RotoRooters group on the wiki and add appropriate ACLs to the root page(s) on the wiki. The Google Docs solution would also have the advantage that, just like the roto-rooters email alias, it doesn't depend on any of the python.org infrastructure. Presumably, in the face of a significant outage people might still be able to find what they are looking for. Skip ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 25.07.2011 21:16, schrieb M.-A. Lemburg: > "Martin v. Löwis" wrote: >>> So you deliberately make it easy for potential attackers to find out >>> about everything they need to know in order take over the site. >>> >>> Could you explain the reasons behind this ? >> >> This information is not meant for attackers, but for people contributing to >> the maintenance of the site. It may also help attackers, but only a little >> so, since they can easily gather the information, anyway. >> >> You seem to favor obscurity as a means of security. Please understand that >> this gives a false sense of security. > > No, not really. Not having the information readily available doesn't make it > more secure (obscurity never increases security), but it does make it harder, > and thus, raises the bar for script-kiddies. This is similar to running SSH on a non-standard port: praised by many as the ultimate security measure, but in reality it only delays people by the amount of time it takes to do a portscan. Georg -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk4twnQACgkQN9GcIYhpnLBQOwCgrpq7yUrbnImF/Zfp9YB1msnL nR0Anie6euH3/NPBaBj1fdDDoZU5F+mA =yT5z -END PGP SIGNATURE- ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
"Martin v. Löwis" wrote: >> So you deliberately make it easy for potential attackers to >> find out about everything they need to know in order take over >> the site. >> >> Could you explain the reasons behind this ? > > This information is not meant for attackers, but for people contributing > to the maintenance of the site. It may also help > attackers, but only a little so, since they can easily gather the > information, anyway. > > You seem to favor obscurity as a means of security. Please understand > that this gives a false sense of security. No, not really. Not having the information readily available doesn't make it more secure (obscurity never increases security), but it does make it harder, and thus, raises the bar for script-kiddies. >> While having documentation of the setup is essential, I don't think >> making that documentation available outside the group of administrators >> is a good thing to do. > > I disagree. Administrators tend to forget where the information is > stored, and how to access it; they are also uncertain as to whether > certain aspects are documented at all. Giving Google access to this > information (or any other search engine) simplifies maintenance. A wiki on a separate server would make that information just as easily available, so I don't really buy into that argument of unorganized administrators (which I don't think we have on python.org). The PSF has a Trac installation that could be used for this. It's hosted on a separate managed servers, so the information would be available even if python.org goes down. I can create an instance and user accounts for you to use. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
> So you deliberately make it easy for potential attackers to > find out about everything they need to know in order take over > the site. > > Could you explain the reasons behind this ? This information is not meant for attackers, but for people contributing to the maintenance of the site. It may also help attackers, but only a little so, since they can easily gather the information, anyway. You seem to favor obscurity as a means of security. Please understand that this gives a false sense of security. > While having documentation of the setup is essential, I don't think > making that documentation available outside the group of administrators > is a good thing to do. I disagree. Administrators tend to forget where the information is stored, and how to access it; they are also uncertain as to whether certain aspects are documented at all. Giving Google access to this information (or any other search engine) simplifies maintenance. Regards, Martin ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On Mon, Jul 25, 2011 at 20:52, M.-A. Lemburg wrote: > "Martin v. Löwis" wrote: >>> If you look through the archives, it's very easy to find out about >>> the infrastructure setup being used to run python.org. Take e.g. >>> this thread as example: >>> >>> http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results >> >> This information is also published in the Wiki, and deliberately so. >> >> There is nothing secret about the setup of python.org, except for the >> actual passwords. > > So you deliberately make it easy for potential attackers to > find out about everything they need to know in order take over > the site. > > Could you explain the reasons behind this ? > > While having documentation of the setup is essential, I don't think > making that documentation available outside the group of administrators > is a good thing to do. In my experience, if you need to rely on obscurity as your security measure, then you are in a very bad position. -- Radomir Dopieralski, http://sheep.art.pl ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
"Martin v. Löwis" wrote: >> If you look through the archives, it's very easy to find out about >> the infrastructure setup being used to run python.org. Take e.g. >> this thread as example: >> >> http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results > > This information is also published in the Wiki, and deliberately so. > > There is nothing secret about the setup of python.org, except for the > actual passwords. So you deliberately make it easy for potential attackers to find out about everything they need to know in order take over the site. Could you explain the reasons behind this ? While having documentation of the setup is essential, I don't think making that documentation available outside the group of administrators is a good thing to do. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
> If you look through the archives, it's very easy to find out about > the infrastructure setup being used to run python.org. Take e.g. > this thread as example: > > http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results This information is also published in the Wiki, and deliberately so. There is nothing secret about the setup of python.org, except for the actual passwords. Regards, Martin ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On Sun, Jul 24, 2011 at 12:13 PM, Georg Brandl wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > once again python.org is either very unresponsive or dead. > > Do we have the resources to monitor it a little more carefully > from now on until we found out what the cause is? Could it be > some kind of attack? I setup a basic monitor on https://pydotorg.appspot.com/ that measures latency or records failure if python.org fails to respond within 7 seconds. I planned to add some charts to it, but run out of time. If anybody can help to do this probably using http://imagecharteditor.appspot.com/ - I'll export data in required format. The samples are taken every minute starting from today. -- anatoly t. ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] pydotorg-www archives
On Mon, Jul 25, 2011, Chris Withers wrote: > On 25/07/2011 11:29, Michael Foord wrote: >> >>We don't make the archives of other public lists private because someone >>sent an email they shouldn't have done - in fact we generally refuse to >>even remove those emails from the archive. >> >>The detail revealed in this email isn't critical, and I don't think we >>should lose public archives because of it. > > +1 After reading the whole thread so far, also +1. From my POV, there's a separate debate about whether we should have a public mailing list at all (which I'm completely neutral about), but given a public mailing list, the archives should be public. There's no reason to force someone to sign up for the list just to read past discussions. -- Aahz (a...@pythoncraft.com) <*> http://www.pythoncraft.com/ "If you don't know what your program is supposed to do, you'd better not start writing it." --Dijkstra ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 13:18, M.-A. Lemburg wrote: Michael Foord wrote: On 25/07/2011 12:26, M.-A. Lemburg wrote: I have a very strong preference for keeping the archives public unless we absolutely have to. I'd rather offending messages were scrubbed from the archive than the list archives made private. That's not possible, I'm afraid, since the list archives on python.org are not only being picked up by Google, but also other sites which then co-host them, e.g. http://markmail.org/search/?q=pydotorg-www#query:pydotorg-www list%3Aorg.python.pydotorg-www+page:1+state:facets http://www.mail-archive.com/pydotorg-www@python.org/info.html http://blog.gmane.org/gmane.comp.python.pydotorg-www That's only if the archives are left long enough for the spiders to pick them up. Not guaranteed to prevent information leakage but may be sufficient in individual cases. It seems that those sites are directly signed up to the mailing list, so there is no lag which could be used to scrub such messages. Making the archives private wouldn't solve this either. Ok. BTW: How often do you actually search on this mailing list ? What I often do is browse the archives, having to log in is a nuisance. I also link to discussions on the list - making them private effectively prevents that as people have to join the list just to view the archives. Occasionally when I can't find a particular discussion I use search to find it. Well, then what do you recommend to keep such infos off the net ? Not posting them to a public list! Plus having policies and security infrastructure in place that does not allow harm due to accidental revealing of information. This could just as easily have been posted to python-list or some other public list, we should have policies in place to cope with this. Whatever those policies are should apply to this list. True. I'm just not sure how this could be done, though. The only way appears to be moderation, but that's not really feasible without a whole team of moderators. I meant policies to deal with the results of actual information leakage (plus "social policies" to prevent it happening) - not moderating every message to every public list we run! Michael -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Michael Foord wrote: > On 25/07/2011 12:26, M.-A. Lemburg wrote: >>> I have a very strong >>> preference for keeping the archives public unless we absolutely have to. >>> I'd rather offending messages were scrubbed from the archive than the >>> list archives made private. >> That's not possible, I'm afraid, since the list archives on python.org >> are not only being picked up by Google, but also other sites which >> then co-host them, e.g. >> >> http://markmail.org/search/?q=pydotorg-www#query:pydotorg-www >> list%3Aorg.python.pydotorg-www+page:1+state:facets >> http://www.mail-archive.com/pydotorg-www@python.org/info.html >> http://blog.gmane.org/gmane.comp.python.pydotorg-www >> > That's only if the archives are left long enough for the spiders to pick > them up. Not guaranteed to prevent information leakage but may be > sufficient in individual cases. It seems that those sites are directly signed up to the mailing list, so there is no lag which could be used to scrub such messages. Making the archives private wouldn't solve this either. BTW: How often do you actually search on this mailing list ? >>> What I often do is browse the archives, having to log in is a nuisance. >>> I also link to discussions on the list - making them private effectively >>> prevents that as people have to join the list just to view the >>> archives. Occasionally when I can't find a particular discussion I use >>> search to find it. >> Well, then what do you recommend to keep such infos off the net ? >> > Not posting them to a public list! Plus having policies and security > infrastructure in place that does not allow harm due to accidental > revealing of information. > > This could just as easily have been posted to python-list or some other > public list, we should have policies in place to cope with this. > Whatever those policies are should apply to this list. True. I'm just not sure how this could be done, though. The only way appears to be moderation, but that's not really feasible without a whole team of moderators. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 12:26, M.-A. Lemburg wrote: Michael Foord wrote: On 25/07/2011 11:52, M.-A. Lemburg wrote: Michael Foord wrote: On 25/07/2011 10:10, M.-A. Lemburg wrote: Hi Michael, Michael Foord wrote: On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. The *point* of pydotorg-www is that it is a public list. Private information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. Sure, but losing public archives, and the ability to use search engines to search the archives is a big loss. We don't make the archives of other public lists private because someone sent an email they shouldn't have done - in fact we generally refuse to even remove those emails from the archive. Right, but this mailing list is special in the sense that it discusses an important piece of the Python infrastructure. Unlike other mailing lists where such leakage usually only has impact on the one accidentally sending it, it can cause potential harm to the PSF servers in case of this list. Does the information leaked present a real risk? If you look through the archives, it's very easy to find out about the infrastructure setup being used to run python.org. Take e.g. this thread as example: http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results Thomas' email has revealed more information in that direction. It's not a direct risk, though. I have a very strong preference for keeping the archives public unless we absolutely have to. I'd rather offending messages were scrubbed from the archive than the list archives made private. That's not possible, I'm afraid, since the list archives on python.org are not only being picked up by Google, but also other sites which then co-host them, e.g. http://markmail.org/search/?q=pydotorg-www#query:pydotorg-www list%3Aorg.python.pydotorg-www+page:1+state:facets http://www.mail-archive.com/pydotorg-www@python.org/info.html http://blog.gmane.org/gmane.comp.python.pydotorg-www That's only if the archives are left long enough for the spiders to pick them up. Not guaranteed to prevent information leakage but may be sufficient in individual cases. BTW: How often do you actually search on this mailing list ? What I often do is browse the archives, having to log in is a nuisance. I also link to discussions on the list - making them private effectively prevents that as people have to join the list just to view the archives. Occasionally when I can't find a particular discussion I use search to find it. Well, then what do you recommend to keep such infos off the net ? Not posting them to a public list! Plus having policies and security infrastructure in place that does not allow harm due to accidental revealing of information. This could just as easily have been posted to python-list or some other public list, we should have policies in place to cope with this. Whatever those policies are should apply to this list. Michael -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
M.-A. Lemburg writes: > > If you look through the archives, it's very easy to find out about > the infrastructure setup being used to run python.org. Take e.g. > this thread as example: > > http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results I'm not sure what is sensitive in that thread. Any determined attacker can certainly get that information (and much more) by themselves. All in all, I agree with Michael. It is important that people can know easily if a problem has been reported or not, without having to subscribe or log in. It is also important to know if problems are being acted upon, again without having to subscribe. Obviously, sensitive information should only be communicated privately, but that shouldn't rule out the existence of a public channel. Regards Antoine. ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 11:29, Michael Foord wrote: On 25/07/2011 10:10, M.-A. Lemburg wrote: Hi Michael, Michael Foord wrote: On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. The *point* of pydotorg-www is that it is a public list. Private information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. Sure, but losing public archives, and the ability to use search engines to search the archives is a big loss. We don't make the archives of other public lists private because someone sent an email they shouldn't have done - in fact we generally refuse to even remove those emails from the archive. The detail revealed in this email isn't critical, and I don't think we should lose public archives because of it. +1 Chris -- Simplistix - Content Management, Batch Processing & Python Consulting - http://www.simplistix.co.uk ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Michael Foord wrote: > On 25/07/2011 11:52, M.-A. Lemburg wrote: >> Michael Foord wrote: >>> On 25/07/2011 10:10, M.-A. Lemburg wrote: Hi Michael, Michael Foord wrote: > On 25/07/2011 09:56, M.-A. Lemburg wrote: >> Could one of the list admins please turn the list archive >> of the pydotorg-www list into a private one ? >> >> I don't think it's a good idea to let our setup information leak >> to the Internnet via search engines. > The *point* of pydotorg-www is that it is a public list. Private > information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. >>> Sure, but losing public archives, and the ability to use search engines >>> to search the archives is a big loss. >>> >>> We don't make the archives of other public lists private because someone >>> sent an email they shouldn't have done - in fact we generally refuse to >>> even remove those emails from the archive. >> Right, but this mailing list is special in the sense that it >> discusses an important piece of the Python infrastructure. >> >> Unlike other mailing lists where such leakage usually only has impact >> on the one accidentally sending it, it can cause potential harm to >> the PSF servers in case of this list. > > Does the information leaked present a real risk? If you look through the archives, it's very easy to find out about the infrastructure setup being used to run python.org. Take e.g. this thread as example: http://markmail.org/thread/kcxkjbesmbweaaj6#query:+page:1+mid:kcxkjbesmbweaaj6+state:results Thomas' email has revealed more information in that direction. It's not a direct risk, though. > I have a very strong > preference for keeping the archives public unless we absolutely have to. > I'd rather offending messages were scrubbed from the archive than the > list archives made private. That's not possible, I'm afraid, since the list archives on python.org are not only being picked up by Google, but also other sites which then co-host them, e.g. http://markmail.org/search/?q=pydotorg-www#query:pydotorg-www list%3Aorg.python.pydotorg-www+page:1+state:facets http://www.mail-archive.com/pydotorg-www@python.org/info.html http://blog.gmane.org/gmane.comp.python.pydotorg-www >> BTW: How often do you actually search on this mailing list ? >> > > What I often do is browse the archives, having to log in is a nuisance. > I also link to discussions on the list - making them private effectively > prevents that as people have to join the list just to view the > archives. Occasionally when I can't find a particular discussion I use > search to find it. Well, then what do you recommend to keep such infos off the net ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 11:52, M.-A. Lemburg wrote: Michael Foord wrote: On 25/07/2011 10:10, M.-A. Lemburg wrote: Hi Michael, Michael Foord wrote: On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. The *point* of pydotorg-www is that it is a public list. Private information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. Sure, but losing public archives, and the ability to use search engines to search the archives is a big loss. We don't make the archives of other public lists private because someone sent an email they shouldn't have done - in fact we generally refuse to even remove those emails from the archive. Right, but this mailing list is special in the sense that it discusses an important piece of the Python infrastructure. Unlike other mailing lists where such leakage usually only has impact on the one accidentally sending it, it can cause potential harm to the PSF servers in case of this list. Does the information leaked present a real risk? I have a very strong preference for keeping the archives public unless we absolutely have to. I'd rather offending messages were scrubbed from the archive than the list archives made private. BTW: How often do you actually search on this mailing list ? What I often do is browse the archives, having to log in is a nuisance. I also link to discussions on the list - making them private effectively prevents that as people have to join the list just to view the archives. Occasionally when I can't find a particular discussion I use search to find it. All the best, Michael Foord -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Michael Foord wrote: > On 25/07/2011 10:10, M.-A. Lemburg wrote: >> Hi Michael, >> >> Michael Foord wrote: >>> On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. >>> The *point* of pydotorg-www is that it is a public list. Private >>> information should be sent to pydotorg not pydotorg-www. >> I was only talking about the archives, not making it a private >> list altogether. > Sure, but losing public archives, and the ability to use search engines > to search the archives is a big loss. > > We don't make the archives of other public lists private because someone > sent an email they shouldn't have done - in fact we generally refuse to > even remove those emails from the archive. Right, but this mailing list is special in the sense that it discusses an important piece of the Python infrastructure. Unlike other mailing lists where such leakage usually only has impact on the one accidentally sending it, it can cause potential harm to the PSF servers in case of this list. BTW: How often do you actually search on this mailing list ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 10:10, M.-A. Lemburg wrote: Hi Michael, Michael Foord wrote: On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. The *point* of pydotorg-www is that it is a public list. Private information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. Sure, but losing public archives, and the ability to use search engines to search the archives is a big loss. We don't make the archives of other public lists private because someone sent an email they shouldn't have done - in fact we generally refuse to even remove those emails from the archive. The detail revealed in this email isn't critical, and I don't think we should lose public archives because of it. All the best, Michael Michael Thanks. Thomas Wouters wrote: On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: Georg Brandl writes: Do we have the resources to monitor it a little more carefully from now on until we found out what the cause is? Could it be some kind of attack? It looks like power-cycling privileges should be given to more people (Georg for example :-)), to avoid potentially long outages likes this. The problem isn't really 'powercycle privileges', but 'sysadmins looking after the machines' (the former should come with the latter.) I haven't been involved with the setup and maintenance of these machines, and I shouldn't be the only one who can powercycle them -- everyone with root on the machine really should be able to, and everyone on roto-root...@wooz.org (the non-python.org list of admins) has received instructions at one point or another (actually, multiple times now.) Barry, it seems many people with root access on (at least) dinsdale aren't on roto-rooters. We should probably fix that, and make sure everyone is added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the remote console/powerswitch as well (unless they have a reason not to want that access, I guess.) ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
* M.-A. Lemburg : > Ralf Hildebrandt wrote: > > Done > > Thanks. I disabled it again. We should discuss this. Public Archives or not? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Ralf Hildebrandt wrote: > Done Thanks. > * M.-A. Lemburg : >> Could one of the list admins please turn the list archive >> of the pydotorg-www list into a private one ? >> >> I don't think it's a good idea to let our setup information leak >> to the Internnet via search engines. >> >> Thanks. >> >> Thomas Wouters wrote: >>> On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: >>> On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: > Georg Brandl writes: >> >> Do we have the resources to monitor it a little more carefully >> from now on until we found out what the cause is? Could it be >> some kind of attack? > > It looks like power-cycling privileges should be given to more people > (Georg for > example :-)), to avoid potentially long outages likes this. > The problem isn't really 'powercycle privileges', but 'sysadmins looking after the machines' (the former should come with the latter.) I haven't been involved with the setup and maintenance of these machines, and I shouldn't be the only one who can powercycle them -- everyone with root on the machine really should be able to, and everyone on roto-root...@wooz.org (the non-python.org list of admins) has received instructions at one point or another (actually, multiple times now.) >>> >>> >>> Barry, it seems many people with root access on (at least) dinsdale aren't >>> on roto-rooters. We should probably fix that, and make sure everyone is >>> added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the >>> remote console/powerswitch as well (unless they have a reason not to want >>> that access, I guess.) >>> >>> >>> >>> >>> ___ >>> pydotorg-www mailing list >>> pydotorg-www@python.org >>> http://mail.python.org/mailman/listinfo/pydotorg-www >> >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source (#1, Jul 25 2011) > Python/Zope Consulting and Support ...http://www.egenix.com/ > mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ >> >> >> ::: Try our new mxODBC.Connect Python Database Interface for free ! >> >> >>eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>Registered at Amtsgericht Duesseldorf: HRB 46611 >>http://www.egenix.com/company/contact/ >> ___ >> pydotorg-www mailing list >> pydotorg-www@python.org >> http://mail.python.org/mailman/listinfo/pydotorg-www > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Hi Michael, Michael Foord wrote: > On 25/07/2011 09:56, M.-A. Lemburg wrote: >> Could one of the list admins please turn the list archive >> of the pydotorg-www list into a private one ? >> >> I don't think it's a good idea to let our setup information leak >> to the Internnet via search engines. > > The *point* of pydotorg-www is that it is a public list. Private > information should be sent to pydotorg not pydotorg-www. I was only talking about the archives, not making it a private list altogether. > Michael >> >> Thanks. >> >> Thomas Wouters wrote: >>> On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: >>> On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: > Georg Brandl writes: >> Do we have the resources to monitor it a little more carefully >> from now on until we found out what the cause is? Could it be >> some kind of attack? > It looks like power-cycling privileges should be given to more people > (Georg for > example :-)), to avoid potentially long outages likes this. > The problem isn't really 'powercycle privileges', but 'sysadmins looking after the machines' (the former should come with the latter.) I haven't been involved with the setup and maintenance of these machines, and I shouldn't be the only one who can powercycle them -- everyone with root on the machine really should be able to, and everyone on roto-root...@wooz.org (the non-python.org list of admins) has received instructions at one point or another (actually, multiple times now.) >>> >>> Barry, it seems many people with root access on (at least) dinsdale >>> aren't >>> on roto-rooters. We should probably fix that, and make sure everyone is >>> added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the >>> remote console/powerswitch as well (unless they have a reason not to >>> want >>> that access, I guess.) >>> >>> >>> >>> >>> ___ >>> pydotorg-www mailing list >>> pydotorg-www@python.org >>> http://mail.python.org/mailman/listinfo/pydotorg-www > > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
On 25/07/2011 09:56, M.-A. Lemburg wrote: Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. The *point* of pydotorg-www is that it is a public list. Private information should be sent to pydotorg not pydotorg-www. Michael Thanks. Thomas Wouters wrote: On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: Georg Brandl writes: Do we have the resources to monitor it a little more carefully from now on until we found out what the cause is? Could it be some kind of attack? It looks like power-cycling privileges should be given to more people (Georg for example :-)), to avoid potentially long outages likes this. The problem isn't really 'powercycle privileges', but 'sysadmins looking after the machines' (the former should come with the latter.) I haven't been involved with the setup and maintenance of these machines, and I shouldn't be the only one who can powercycle them -- everyone with root on the machine really should be able to, and everyone on roto-root...@wooz.org (the non-python.org list of admins) has received instructions at one point or another (actually, multiple times now.) Barry, it seems many people with root access on (at least) dinsdale aren't on roto-rooters. We should probably fix that, and make sure everyone is added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the remote console/powerswitch as well (unless they have a reason not to want that access, I guess.) ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Done * M.-A. Lemburg : > Could one of the list admins please turn the list archive > of the pydotorg-www list into a private one ? > > I don't think it's a good idea to let our setup information leak > to the Internnet via search engines. > > Thanks. > > Thomas Wouters wrote: > > On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: > > > >> > >> > >> On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: > >> > >>> Georg Brandl writes: > > Do we have the resources to monitor it a little more carefully > from now on until we found out what the cause is? Could it be > some kind of attack? > >>> > >>> It looks like power-cycling privileges should be given to more people > >>> (Georg for > >>> example :-)), to avoid potentially long outages likes this. > >>> > >> > >> The problem isn't really 'powercycle privileges', but 'sysadmins looking > >> after the machines' (the former should come with the latter.) I haven't > >> been involved with the setup and maintenance of these machines, and I > >> shouldn't be the only one who can powercycle them -- everyone with root on > >> the machine really should be able to, and everyone on > >> roto-root...@wooz.org (the non-python.org list of admins) has received > >> instructions at one point or another (actually, multiple times now.) > >> > > > > > > Barry, it seems many people with root access on (at least) dinsdale aren't > > on roto-rooters. We should probably fix that, and make sure everyone is > > added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the > > remote console/powerswitch as well (unless they have a reason not to want > > that access, I guess.) > > > > > > > > > > ___ > > pydotorg-www mailing list > > pydotorg-www@python.org > > http://mail.python.org/mailman/listinfo/pydotorg-www > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Jul 25 2011) > >>> Python/Zope Consulting and Support ...http://www.egenix.com/ > >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ > > > ::: Try our new mxODBC.Connect Python Database Interface for free ! > > >eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >Registered at Amtsgericht Duesseldorf: HRB 46611 >http://www.egenix.com/company/contact/ > ___ > pydotorg-www mailing list > pydotorg-www@python.org > http://mail.python.org/mailman/listinfo/pydotorg-www -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Repeated outages of python.org
Could one of the list admins please turn the list archive of the pydotorg-www list into a private one ? I don't think it's a good idea to let our setup information leak to the Internnet via search engines. Thanks. Thomas Wouters wrote: > On Sun, Jul 24, 2011 at 11:19, Thomas Wouters wrote: > >> >> >> On Sun, Jul 24, 2011 at 06:37, Antoine Pitrou wrote: >> >>> Georg Brandl writes: Do we have the resources to monitor it a little more carefully from now on until we found out what the cause is? Could it be some kind of attack? >>> >>> It looks like power-cycling privileges should be given to more people >>> (Georg for >>> example :-)), to avoid potentially long outages likes this. >>> >> >> The problem isn't really 'powercycle privileges', but 'sysadmins looking >> after the machines' (the former should come with the latter.) I haven't >> been involved with the setup and maintenance of these machines, and I >> shouldn't be the only one who can powercycle them -- everyone with root on >> the machine really should be able to, and everyone on >> roto-root...@wooz.org (the non-python.org list of admins) has received >> instructions at one point or another (actually, multiple times now.) >> > > > Barry, it seems many people with root access on (at least) dinsdale aren't > on roto-rooters. We should probably fix that, and make sure everyone is > added to ~psf/.ssh/authorized_keys on xs4all.nl so they can access the > remote console/powerswitch as well (unless they have a reason not to want > that access, I guess.) > > > > > ___ > pydotorg-www mailing list > pydotorg-www@python.org > http://mail.python.org/mailman/listinfo/pydotorg-www -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 25 2011) >>> Python/Zope Consulting and Support ...http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www