Hi! I've developed my extension and I am not yet sure it's stable enough to be uploaded to MediaWiki SVN. Also, I don't have SVN commit access, and I am not sure that I will be able to continuousely support my extension in the future (to make sure it will be compatible with the future versions of MediaWiki).
I've created a documentation page for my extension at mediawiki.org, then tried to upload tgz archive with it. But, MediaWiki refuses such upload by default, and there's no way to enable it besides adding some obvious settings to LocalSettings.php file (I've done it for my local wikis).
In #mediawiki IRC channel I've been told that tgz upload is insecure and poses a risk. I am a bit in doubts about that. First of all, tgz files are so much integral part of unix/linux distributions, that most of possible overflow and injections bugs should be fixed already. Second, anyway, user has to follow a some link (let's say on the external site). Risk (if there's any?) isn't really going away. Dmitriy
On Tue, May 5, 2009 at 1:51 AM, Dmitriy Sintsov questpc@rambler.ru wrote:
In #mediawiki IRC channel I've been told that tgz upload is insecure and poses a risk.
Allowing tgz uploads would allow the upload of arbitrary file formats. We do not want to do this. For one thing, it's insecure: users might think it's safe to install a binary executable just because it's from mediawiki.org, but downloads aren't actually vetted. Noticeably third-party downloads hopefully will be treated with some more caution.
For another thing, allowing archive formats permits the upload of content we don't want to permit on ideological grounds, or that cannot be distributed under the GFDL. For instance, binaries without accompanying source code; or DRM-encumbered data formats; or formats that are otherwise not open because, for instance, they aren't specified fully enough to permit full open-source implementations (e.g., .doc). The first two cases not only are at least arguably contrary to Wikimedia's mission -- see http://meta.wikimedia.org/wiki/File_format_policy, although that never passed AFAIK -- but are probably not legal as long as we're only allowed to distribute under the GFDL.
MediaWiki extensions can just have their source code pasted into their extension pages. This is marginally less convenient, but not by much. I don't think Wikimedia is going to allow arbitrary file formats to be uploaded anytime soon (and that's basically what .tgz would permit).
* Aryeh Gregor Simetrical+wikilist@gmail.com [Tue, 5 May 2009 09:22:01 -0400]:
On Tue, May 5, 2009 at 1:51 AM, Dmitriy Sintsov questpc@rambler.ru wrote:
In #mediawiki IRC channel I've been told that tgz upload is insecure and poses a risk.
Allowing tgz uploads would allow the upload of arbitrary file formats. We do not want to do this. For one thing, it's insecure: users might think it's safe to install a binary executable just because it's from mediawiki.org, but downloads aren't actually vetted. Noticeably third-party downloads hopefully will be treated with some more caution.
For another thing, allowing archive formats permits the upload of content we don't want to permit on ideological grounds, or that cannot be distributed under the GFDL. For instance, binaries without accompanying source code; or DRM-encumbered data formats; or formats that are otherwise not open because, for instance, they aren't specified fully enough to permit full open-source implementations (e.g., .doc). The first two cases not only are at least arguably contrary to Wikimedia's mission -- see http://meta.wikimedia.org/wiki/File_format_policy, although that never passed AFAIK -- but are probably not legal as long as we're only allowed to distribute under the GFDL.
MediaWiki extensions can just have their source code pasted into their extension pages. This is marginally less convenient, but not by much. I don't think Wikimedia is going to allow arbitrary file formats to be uploaded anytime soon (and that's basically what .tgz would permit).
Pasting the code is suitable only for small extensions, mine is medium-size, has many source files and I can't imagine installing it such way.
I believe there was a trick which would overcome tgz upload restriction - some years ago, I've seen text-format archives inside unix shell scripts, which can be extracted with bash (or maybe even just sh) - probably just MIME decoding then passing to tar/gzip. Then, such file can probably be uploaded with different extension, while at documentation page one would ask to rename and run the file after a download.
But anyway, I've choosed a _free_ hosting for my extension, I hope the hoster won't delete it any time soon. Just an external tgz link. Dmitriy
On May 5, 2009, at 1:51 AM, Dmitriy Sintsov wrote:
Hi! I've developed my extension and I am not yet sure it's stable enough to be uploaded to MediaWiki SVN. Also, I don't have SVN commit access, and I am not sure that I will be able to continuousely support my extension in the future (to make sure it will be compatible with the future versions of MediaWiki).
Consider the Toolserver, Sourceforge, GitHub, or even applying to make your own branch in the Mediawiki SVN.
What is your extension, anyway?
-Jeff
Pasting the code is suitable only for small extensions, mine is medium-size, has many source files and I can't imagine installing it such way.
I believe there was a trick which would overcome tgz upload restriction - some years ago, I've seen text-format archives inside unix shell scripts, which can be extracted with bash (or maybe even just sh) - probably just MIME decoding then passing to tar/gzip. Then, such file can probably be uploaded with different extension, while at documentation page one would ask to rename and run the file after a download.
But anyway, I've choosed a _free_ hosting for my extension, I hope the hoster won't delete it any time soon. Just an external tgz link.
Is there some reason your extension can't be hosted on wikimedia's svn? Is it not freely licensed?
V/r,
Ryan Lane
* Jeff Ferland jeff@storyinmemo.com [Tue, 5 May 2009 15:23:34 -0400]:
Consider the Toolserver, Sourceforge, GitHub, or even applying to make your own branch in the Mediawiki SVN.
Ok, thanks for the tips.
What is your extension, anyway?
http://mediawiki.org/wiki/Extension:QPoll [http://mediawiki.org/wiki/ExtensionL] I don't know whether it's good enough for SVN, also I am not sure I'd have the time to maintain it. Dmitriy
* "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil [Tue, 5 May 2009 15:43:21 -0500]:
Is there some reason your extension can't be hosted on wikimedia's
svn?
Is it not freely licensed?
Nope, it's free - GNU GPL. It's just I am not sure it's really good enough and I've been told I have to maintain it - keep it compatible with the future versions of MediaWiki. Dmitriy
Dmitriy Sintsov wrote:
I don't know whether it's good enough for SVN, also I am not sure I'd have the time to maintain it. Dmitriy
Stop thinking "it may not be good enough"! You should really place it into the SVN. There it will be better supported and at least won't be at the mercy of your free hosting. You can get commit access yourself, or get soeone with access to commit it (open a bug, grab some volunteer on irc...)
* Platonides Platonides@gmail.com [Thu, 07 May 2009 01:20:25 +0200]:
Dmitriy Sintsov wrote:
I don't know whether it's good enough for SVN, also I am not sure I'd have the time to maintain it. Dmitriy
Stop thinking "it may not be good enough"! You should really place it into the SVN. There it will be better supported and at least won't be at the mercy of your free hosting. You can get commit access yourself, or get soeone with access to
commit
it (open a bug, grab some volunteer on irc...)
Ok, thanks for the support. Maybe I'll try a bit later (a new version of extension is a half-way but now I have too much of other work to finish new features). Dmitriy
wikitech-l@lists.wikimedia.org