You can argue that software is like cars. Problems are found after, and sometimes long
after, the product is in the hands of a customer. In both cases the developers will look
at the problem and decide if the problem is serious enough for a recall or patch.
Software is unique in that it is one of the few products which can "dial home".
If cars could do this we would demand that car makers allow cars to upgrade themselves at
our request and convenience at the press of a button. I do not understand the
"controversy" when it comes to software. Whether the software dials home to
check on updates or not can be an enabled feature. I use a lot of software which dials
home such as Firefox, Mac OS X, and even my E-machines PC came with an upgrade tool to
maintain the Windows OS.
My gut feeling is that the developers of Mediawiki are focused on developing for Wikipedia
almost to exclusion, and have stated as much many times when features were requested, and
I do not have a problem with this, just being very happy they have decided to share their
wonderful software openly. However, in the decision to share the software comes some
level of responsibility, which I have seen grow over time, with quick repairs to the
software and notices to subscribers. However, "dialing home" would definitely
enhance this ability, so I cannot understand the controversy, except in the mindset of
Wikipedia centric development.
So, I would encourage a "dial home" feature, not only for the Mediawiki software
but also an API to allow extension software to dial home. The more tools available to
assist in securing software the better.
-Jim
-----Original Message-----
From: Tim Starling [mailto:tstarling@wikimedia.org]
Sent: Friday, July 30, 2010 12:35 AM
To: mediawiki-l(a)lists.wikimedia.org; wikitech-l(a)lists.wikimedia.org
Subject: [Mediawiki-l] MediaWiki version statistics
Cross-posted to
<http://techblog.wikimedia.org/2010/07/mediawiki-version-statistics/>
Some kind people at Qualys have surveyed versions of open source web
apps present on the web, including MediaWiki. Here is the relevant
page from their presentation:
http://wimg.co.uk/3jK.png
For the original see:
https://community.qualys.com/docs/DOC-1401
And the press release:
<http://www.qualys.com/company/newsroom/newsreleases/usa/view/2010-07-28/>
They make the point that 95% of MediaWiki installations have a
"serious vulnerability", whereas only 4% of WordPress installations
do. While WordPress's web-based upgrade utility certainly has a
positive impact on security, I feel I should point out that what
WordPress counts as a serious vulnerability does not align with
MediaWiki's definition of the same term.
For instance, if a web-based user could execute arbitrary PHP code on
the server, compromising all data and user accounts, we would count
that as the most serious sort of vulnerability, and we would do an
immediate release to fix it. We're proud of the fact that we haven't
had any such vulnerability in a stable release since 1.5.3 (December
2005).
However in WordPress, they count this as a feature, and all
administrators can do it. Similarly, WordPress avoids the difficult
problem of sanitising HTML and CSS while preserving a rich feature set
by simply allowing all authors to post raw HTML.
If you are running MediaWiki in a CMS-like mode, with whitelist edit
and account creation restricted, then I think it's fair to say that in
terms of security, you're better off with MediaWiki 1.14.1 or later
than you are with the latest version of WordPress.
However, the statistics presented by Qualys show that an alarming
number of people are running versions of MediaWiki older than 1.14.1,
which was the most recent fix for an XSS vulnerability exploitable
without special privileges. There is certainly room for us to do better.
We have a new installer project in development, which we hope to
release in 1.17. It includes a feature which encourages users to sign
up for our release announcements mailing list. But maybe we need to do
more. Should we take a leaf from WordPress's book, and nag
administrators with a prominent notice when they are not using the
latest version? Such a feature would require MediaWiki to "dial home",
which is controversial in our developer community.
-- Tim Starling
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l