Am I right that this was caught within 24h only and fixed in not
much more time? At this point I'd like to say "Good work" to whoever
contributed to this outcome !!
Excerpts from Charles Campbell's message of Tue Sep 25 16:21:50 +0200 2012:
> Um, that isn't what I said, or at least not what I intended to say. So,
> I'll break it down a bit:
I agree that it might solve a lot of this problem - and that it would
make it a lot harder for people to upload such files.
The interesting question is: Why are they uploaded? What are their
purpose?
Possible:
- they want to hack www.vim.org (and hack customer browsers and
machines)
- they want to upload data which they use to steer other bots (eg some
IP addresses hidden in some images)
- intentionally upload bad scripts installing viruses which harm your
computer. (Did this ever happen in the past?)
The files contained <?php code which makes me think they tried to hack
the server (eg my using memory corruption or the like in some strange
tiff libraries or whatsoever).
However it could be a fake, and their target are other code on client
machines - who knows?
If they want to hack www.vim.org -
As maintainer of VAM I also see that quite a lot of VimL code is happily
distributed on github only without being uploaded to www.vim.org.
For a long time I have in mind making the www.vim.org distribution
process simpler, eg only provide a github url once, and then let
www.vim.org poll updates every 3 days or so.
If we started reviewing coders/ code/ uploads - this would mean that there
was a strong reason propagating using www.vim.org as source.
vim-addon-manager-known-repositories could serve a similar purpose - and
I'd love to see this all being part of www.vim.org. Lack of time (and
not wanting to use PHP for new work) prevented me from finishing new
proposals.
> (I can't return the favor to post this as if it were from you because
> GSFC's outgoing system won't let me :|
Just rent any virtual server (there are services even allowing you to do
so for a couple of hours) - *ignore their terms of service* - and here you
go - setting up a SMTP mailer is enough.
What can you do against such? There are different ways to sign or even
encrypt emails. This way you can proof an origin of an email.
Wikipedia lists them all.
Marc Weber
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
No comments:
Post a Comment