[Mediawiki-l] MediaWiki version statistics

Sullivan, James (NIH/CIT) [C] sullivan at mail.nih.gov
Fri Jul 30 13:45:54 UTC 2010 

My understanding of "dial home" is that the software will automatically contact a pre-defined website to check whether updates are available and if so allow the automated download of those updates and automatically install them.  Typically, as with Wordpress, an administrator has to allow the download and installation.  Wordpress also has the annoying feature where it not only shows that updates are available to a logged in administrator but also to any logged in user.  For example, my Wordpress dashboard currently says: "WordPress 3.0.1 is available! Please notify the site administrator.", which I can understand might annoy the administrator.  But it explains why Wordpress installations are mostly up to date.  On my PC at home Firefox also dials home but has the annoying feature of not asking me whether I want to upgrade and simply starts the upgrade on its own, telling me to wait until it is finished.  My CentOS linux system also dials home for OS upgrades, and then lists what specific software will be upgraded before asking me to continue to have them upgraded.  So there are different ways to implement a software's ability to dial home and upgrade itself, some more annoying than others, but I think if we are looking for Mediawiki to achieve a high level of notifying administrators and getting it patched, dialing home works better than subscribing to a mail list.  

-Jim

-----Original Message-----
From: nevio carlos de alarcão [mailto:nevinhoalarcao at gmail.com] 
Sent: Friday, July 30, 2010 9:22 AM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] MediaWiki version statistics

Hi, could you explain what does this dial home feature mean? It would be
more comprehensive toward those who are not software expert but do want to
contribute. Thank you. Regards, Nevio

2010/7/30 Sullivan, James (NIH/CIT) [C] <sullivan at mail.nih.gov>

> You can argue that software is like cars.  Problems are found after, and
> sometimes long after, the product is in the hands of a customer.  In both
> cases the developers will look at the problem and decide if the problem is
> serious enough for a recall or patch.  Software is unique in that it is one
> of the few products which can "dial home".  If cars could do this we would
> demand that car makers allow cars to upgrade themselves at our request and
> convenience at the press of a button.  I do not understand the "controversy"
> when it comes to software.  Whether the software dials home to check on
> updates or not can be an enabled feature.  I use a lot of software which
> dials home such as Firefox, Mac OS X, and even my E-machines PC came with an
> upgrade tool to maintain the Windows OS.
>
> My gut feeling is that the developers of Mediawiki are focused on
> developing for Wikipedia almost to exclusion, and have stated as much many
> times when features were requested, and I do not have a problem with this,
> just being very happy they have decided to share their wonderful software
> openly.  However, in the decision to share the software comes some level of
> responsibility, which I have seen grow over time, with quick repairs to the
> software and notices to subscribers.  However, "dialing home" would
> definitely enhance this ability, so I cannot understand the controversy,
> except in the mindset of Wikipedia centric development.
>
> So, I would encourage a "dial home" feature, not only for the Mediawiki
> software but also an API to allow extension software to dial home.  The more
> tools available to assist in securing software the better.
>
> -Jim
>
> -----Original Message-----
> From: Tim Starling [mailto:tstarling at wikimedia.org]
> Sent: Friday, July 30, 2010 12:35 AM
> To: mediawiki-l at lists.wikimedia.org; wikitech-l at lists.wikimedia.org
> Subject: [Mediawiki-l] MediaWiki version statistics
>
> Cross-posted to
> <http://techblog.wikimedia.org/2010/07/mediawiki-version-statistics/>
>
> Some kind people at Qualys have surveyed versions of open source web
> apps present on the web, including MediaWiki. Here is the relevant
> page from their presentation:
>
> http://wimg.co.uk/3jK.png
>
> For the original see:
>
> https://community.qualys.com/docs/DOC-1401
>
> And the press release:
>
> <http://www.qualys.com/company/newsroom/newsreleases/usa/view/2010-07-28/>
>
> They make the point that 95% of MediaWiki installations have a
> "serious vulnerability", whereas only 4% of WordPress installations
> do. While WordPress's web-based upgrade utility certainly has a
> positive impact on security, I feel I should point out that what
> WordPress counts as a serious vulnerability does not align with
> MediaWiki's definition of the same term.
>
> For instance, if a web-based user could execute arbitrary PHP code on
> the server, compromising all data and user accounts, we would count
> that as the most serious sort of vulnerability, and we would do an
> immediate release to fix it. We're proud of the fact that we haven't
> had any such vulnerability in a stable release since 1.5.3 (December
> 2005).
>
> However in WordPress, they count this as a feature, and all
> administrators can do it. Similarly, WordPress avoids the difficult
> problem of sanitising HTML and CSS while preserving a rich feature set
> by simply allowing all authors to post raw HTML.
>
> If you are running MediaWiki in a CMS-like mode, with whitelist edit
> and account creation restricted, then I think it's fair to say that in
> terms of security, you're better off with MediaWiki 1.14.1 or later
> than you are with the latest version of WordPress.
>
> However, the statistics presented by Qualys show that an alarming
> number of people are running versions of MediaWiki older than 1.14.1,
> which was the most recent fix for an XSS vulnerability exploitable
> without special privileges. There is certainly room for us to do better.
>
> We have a new installer project in development, which we hope to
> release in 1.17. It includes a feature which encourages users to sign
> up for our release announcements mailing list. But maybe we need to do
> more. Should we take a leaf from WordPress's book, and nag
> administrators with a prominent notice when they are not using the
> latest version? Such a feature would require MediaWiki to "dial home",
> which is controversial in our developer community.
>
> -- Tim Starling
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



-- 
{+}Nevinho
Venha para o Movimento Colaborativo http://sextapoetica.com.br !!
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

More information about the MediaWiki-l mailing list