On Sat, Aug 17, 2013 at 12:47 PM, Faidon Liambotis <faidon(a)wikimedia.org> wrote:
On Fri, Aug 16, 2013 at 08:04:24PM -0400, Zack
Weinberg wrote:
Hi, I'm a grad student at CMU studying network security in general and
censorship / surveillance resistance in particular. I also used to work for
Mozilla, some of you may remember me in that capacity. My friend Sumana
Harihareswara asked me to comment on Wikimedia's plans for hardening the
encyclopedia against state surveillance.
<snip>
First of all, thanks for your input. It's much appreciated. As I'm sure
Sumanah has already mentioned, all of our infrastructure is being developed
in the open using free software and we'd be also very happy to accept
contributions in code/infrastructure-as-code as well.
hi faidon, i do not think you personally and WMF are particularly
helpful in accepting contributions. because you:
* do not communicate openly the problems
* do not report upstream publically
* do not ask for help, and even if it gets offered you just ignore it
with quite some arrogance
let me give you an example as well.
git.wikimedia.org broke, and you,
faidon, did _absolutely nothing_ to give good feedback to upstream to
improve the gitblit software. you and colleagues did though adjust
robots.txt to reduce the traffic arriving at the
git.wikimedia.org.
which is, in my opinion, "paying half of the rent". see
* our bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=51769,
includes details how to take a stack trace
* upstream bug:
https://code.google.com/p/gitblit/issues/detail?id=294, no stacktrace
reported
That being said, literally everything in your mail has
been already
considered and discussed multiple times :), plus a few others you didn't
mention (GCM ciphers, OCSP stapling, SNI & split certificates, short-lived
certificates, ECDSA certificates). A few have been discussed on wikitech,
others are under internal discussion & investigation by some of us with
findings to be posted here too when we have something concrete.
I don't mean this to sound rude, but I think you may be oversimplifying the
situation quite a bit.
....
Is dedicating (finite) engineering time to write the
necessary code for
e.g. gdnsd to support DNSSEC, just to be able to support DANE for
which there's exactly ZERO browser support, while at the same time
breaking a significant chunk of users, a sensible thing to do?
i don't mean this to sound rude, but you give me the impression that
you handle the https and dns case similarly than the gitblit case. you
tried some approaches, and let me perceive you think only in your wmf
box. i'd really appreciate some love towards other projects here, and
get things fixed at source as well, in mid term (i.e months, one or
two years).
rupert