[darcs-users] cgi script thoughts

Will will at glozer.net
Sun Jul 4 09:43:13 UTC 2004

Hi Simon,

Simon Michael <simon at joyful.com> writes:

> Hello Will Glozer, all.. here are some notes from setting up the new
> CGI script on my server.
> I moved cgi.conf into cgi/ and expanded cgi/README a little - patches
> sent to David's repo.

I suppose the cgi.conf is in the root dir because it is also used by
the original darcs_cgi.lhs.

> configure.ac (I think) sets sysconfdir to /usr/etc/darcs on my system
> when it should be /etc/darcs. Not sure why that is.

The version of darcsrv that I handed over didn't use the config file
or have any autoconf config, so I'll defer to David on this one.

> The docs describe this as "darcsrv" and the script is named
> "darcs.cgi". Is this optimal ? Should the filename be darcsrv ?
> The darcsrv link at the bottom of the UI - hmm, it was linking to the
> darcsrv home page, which was inaccessible. Now it's linking to the
> darcs home page on abridgegame for some reason.

I named the project 'darcsrv' before I knew that David wanted to
include it as part of darcs; it does seem nice to have a convenient
name to refer to rather than "that darcs cgi script" =) Since it is
part of darcs now I don't intend to maintain a product page.

That said, I think 'darcs.cgi' is more aesthetically pleasing than
'darcsrv.cgi', but I don't have strong feelings on the matter.

> I have two reservations about running this publicly:
> 1. Like the old cgi script, email addresses are served in the clear,
>    exposing contributors to spammers. This is a problem. I guess we
>    need to at least do a mailman-style "x at y.com" conversion ? Any
>    ideas where in the script to do this, or should it be done in darcs
>    itself ?

It should be pretty easy to do this in the XSLT templates, but is it
really effective?  I would expect the email harvesters to be able to
parse many simple obfuscations and it would be an inconvenience to
legitimate users.  Still, if there is a desire to do this as a default I
will update the templates.

> 2. Robot safety. The annotate links seem relatively expensive, taking
>    several seconds. Also these pages form a large network of unique
>    urls.. how many I'm not sure. This seems to add up to yet another
>    way for robots (or a deliberate DDOS attack) to stress my web
>    server. Any thoughts on this ?

This is an important security consideration, everything but the file
listings causes invocations of darcs which can be very expensive in
terms of processor and memory use.  I would suggest using rlimit or
whatever your OS's equivalent is to limit the resource consumption.

I've also envisioned using something such as mod_cache to cache
responses and avoid invocation of the CGI at all.

> It's a nice enhancement, thanks!

I'm glad you find it useful!


More information about the darcs-users mailing list