[darcs-users] cgi script thoughts

Simon Michael simon at joyful.com
Sun Jul 4 16:09:57 UTC 2004

>That said, I think 'darcs.cgi' is more aesthetically pleasing than
>'darcsrv.cgi', but I don't have strong feelings on the matter.
There's always "viewdarcs".. (viewcvs, viewsvn etc..)

>It should be pretty easy to do this in the XSLT templates, but is it
>really effective?  I would expect the email harvesters to be able to
>parse many simple obfuscations and it would be an inconvenience to
>legitimate users.  Still, if there is a desire to do this as a default I
>will update the templates.
I have never liked email obfuscation. But, projects like mine want to 
attract new contributors, and for some of them this is the first 
exposure of their email address.. when they know they have been 
harvested for eternal spamming as a result of contributing, they are not 
going to be so happy. When I warn them up front, they become more 
reluctant to use darcs and send me clumsy files instead. Since I want 
people using darcs as much as possible, I think that standard 
mailman-style obfuscation would be a help.

On the other hand, if darcs repos proliferate, they could become a 
target for smarter harvesting. With this in mind, perhaps the answer is 
to show only the real name part of the submitter's address. I have 
already switched to this scheme for release notes.

>This is an important security consideration, everything but the file
>listings causes invocations of darcs which can be very expensive in
>terms of processor and memory use.  I would suggest using rlimit or
>whatever your OS's equivalent is to limit the resource consumption.
>I've also envisioned using something such as mod_cache to cache
>responses and avoid invocation of the CGI at all.
Ok.. this is a toughie.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osuosl.org/pipermail/darcs-users/attachments/20040704/2fdea62e/attachment.htm 

More information about the darcs-users mailing list