Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Docs

Comment system, take two

 

 

Apache docs RSS feed   Index | Next | Previous | View Threaded


rumble at cord

May 21, 2012, 2:04 PM

Post #1 of 6 (369 views)
Permalink
Comment system, take two

In light of recent concerns about the Disqus system, I've taken it upon
myself to figure out an alternative we can use for adding comments to
our pages. And so, through the better half of a day, I worked on
creating a new system that is without any evil tracking mechanisms of
any sort except for what people themselves will allow - that is, only
information that is willingly entered will be stored, no IPs or such.

The result (thus far) can be seen at a small test page I made for the
http project at http://c.apaste.info/httpd.html - feel free to give it a
test spin and see what you like.

Quick primer:

Click on "add a comment" to add a comment, or click on "reply" to add a
reply to an existing comment. You can use the "log in" link to the far
right to create a permanent account which will save you the trouble of
having to type your name/email whenever you want to make a new comment.

People that register an account can also be added as moderators/admins,
and thus delete posts as they see fit. Furthermore, moderators receive
notifications when a new comment has been made on a page, and can thus
quickly react if something needs deleting. There is a small touring test
in action when you submit a comment, so automated spamming should not be
a huge problem. So, basically the same stuff as we had with Disqus,
albeit on a smaller, less fancy scale and without a big disclaimer.

If there are no objections, I intend to try this commentary system out
on a portion of the trunk tomorrow, and then we'll wrap up with some Q&A
on the ML to get the last few things sorted out, and finally vote on the
matter sometime soon.

Should any committer wish to become a moderator (not that there's a
whole lot to do), just reply on the ML and you'll get added if you've
created an account.

With regards,
Daniel.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd


rbowen at rcbowen

May 22, 2012, 4:22 AM

Post #2 of 6 (343 views)
Permalink
Re: Comment system, take two [In reply to]

On 2012 5 21 17:04, "Daniel Gruno" <rumble [at] cord> wrote:
>
> In light of recent concerns about the Disqus system, I've taken it upon
> myself to figure out an alternative we can use for adding comments to
> our pages. And so, through the better half of a day, I worked on
> creating a new system that is without any evil tracking mechanisms of
> any sort except for what people themselves will allow - that is, only
> information that is willingly entered will be stored, no IPs or such.
>
> The result (thus far) can be seen at a small test page I made for the
> http project at http://c.apaste.info/httpd.html - feel free to give it a
> test spin and see what you like.
>

Very cool, Daniel. Thanks for this work. +1 to moving forward to testing it
in some portion of the trunk docs.


rainer.jung at kippdata

May 22, 2012, 2:25 PM

Post #3 of 6 (346 views)
Permalink
Re: Comment system, take two [In reply to]

=== Sorry, sent again, because I forgot the docs list ===

On 21.05.2012 23:04, Daniel Gruno wrote:
> In light of recent concerns about the Disqus system, I've taken it upon
> myself to figure out an alternative we can use for adding comments to
> our pages. And so, through the better half of a day, I worked on
> creating a new system that is without any evil tracking mechanisms of
> any sort except for what people themselves will allow - that is, only
> information that is willingly entered will be stored, no IPs or such.

Great!

> The result (thus far) can be seen at a small test page I made for the
> http project at http://c.apaste.info/httpd.html - feel free to give it a
> test spin and see what you like.

I like it.

+1

Concerning production readyness, some points come to mind:

- Did you pay attention on escaping problematic input? I saw some
escaping, but didn't thoroughly test it. We don't want XSS and such.

- Is there some safety against brute force password hacking for the
registered people, especially the moderators? E.g. locking accounts
after a few wrong passwords.

- Since we want to host it later inside ASF infra: what are the infra
requirements? It seems the server part is written in Lua? Is it based on
httpd 2.4 with mod_lua, or just Lua in CGI scripts or similar?

Thanks!

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd


rumble at cord

May 22, 2012, 7:47 PM

Post #4 of 6 (355 views)
Permalink
Re: Comment system, take two [In reply to]

On 05/22/2012 11:25 PM, Rainer Jung wrote:
> I like it.
>
> +1
>
> Concerning production readyness, some points come to mind:
>
> - Did you pay attention on escaping problematic input? I saw some
> escaping, but didn't thoroughly test it. We don't want XSS and such.
Yes, because the text is inserted using Document.CreateTextNode, all
that is injected is pure text - HTML tags and the likes should not be
possible to inject in any way other than as pure text. Special tags like
<, >, \ etc are escaped in advance, but this is just so it will display
the characters and not make them invisible. No HTML should be injectable.

> - Is there some safety against brute force password hacking for the
> registered people, especially the moderators? E.g. locking accounts
> after a few wrong passwords.
>
Yup, more than 5 bad attempts will start making it difficult for you to
try logging in.
> - Since we want to host it later inside ASF infra: what are the infra
> requirements? It seems the server part is written in Lua? Is it based
> on httpd 2.4 with mod_lua, or just Lua in CGI scripts or similar?
>
Gee, what gave it away? ;)
Right now it's written in Lua yes (should anyone be interested in the
source code, I'd be happy to provide a link to it), and run on 2.4.2
with mod_pLua (a distant cousin to mod_lua that offers me a bit more
flexibility as well as access to POST data*hint hint*). One of the nice
things about writing it in Lua is that it is quite easy to port it to
other languages such as php or perl, should this be needed. The scripts
themselves are quite small, since most of the work is done via JavaScript.

I have already asked Tony if we could host this on httpd.a.o, and the
answer was a kind no since it would require enabling php or mod_plua for
the site, which would either (in the case of plua) be something new and
untested or (in the case of php) bloat up the server. So, while we get
all that sorted out, I'm more than happy to host it myself.

Having said that, it would indeed be nice if we could find somewhere on
infra where this could be hosted, so we could also share the tool with
other sites wishing to incorporate comments in their system.

> Thanks!
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe [at] httpd
> For additional commands, e-mail: docs-help [at] httpd
>
With regards,
Daniel.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd


pctony at apache

May 23, 2012, 12:15 AM

Post #5 of 6 (349 views)
Permalink
Re: Comment system, take two [In reply to]

Daniel Gruno wrote on Wed, May 23, 2012 at 04:47:10AM +0200:
> On 05/22/2012 11:25 PM, Rainer Jung wrote:
> > I like it.
> >
> > +1
> >
> > Concerning production readyness, some points come to mind:
> >
> > - Did you pay attention on escaping problematic input? I saw some
> > escaping, but didn't thoroughly test it. We don't want XSS and such.
> Yes, because the text is inserted using Document.CreateTextNode, all
> that is injected is pure text - HTML tags and the likes should not be
> possible to inject in any way other than as pure text. Special tags like
> <, >, \ etc are escaped in advance, but this is just so it will display
> the characters and not make them invisible. No HTML should be injectable.
>
> > - Is there some safety against brute force password hacking for the
> > registered people, especially the moderators? E.g. locking accounts
> > after a few wrong passwords.
> >
> Yup, more than 5 bad attempts will start making it difficult for you to
> try logging in.
> > - Since we want to host it later inside ASF infra: what are the infra
> > requirements? It seems the server part is written in Lua? Is it based
> > on httpd 2.4 with mod_lua, or just Lua in CGI scripts or similar?
> >
> Gee, what gave it away? ;)
> Right now it's written in Lua yes (should anyone be interested in the
> source code, I'd be happy to provide a link to it), and run on 2.4.2
> with mod_pLua (a distant cousin to mod_lua that offers me a bit more
> flexibility as well as access to POST data*hint hint*). One of the nice
> things about writing it in Lua is that it is quite easy to port it to
> other languages such as php or perl, should this be needed. The scripts
> themselves are quite small, since most of the work is done via JavaScript.
>
> I have already asked Tony if we could host this on httpd.a.o, and the
> answer was a kind no since it would require enabling php or mod_plua for
> the site, which would either (in the case of plua) be something new and
> untested or (in the case of php) bloat up the server. So, while we get
> all that sorted out, I'm more than happy to host it myself.

I said running php on the main webservers would very likely with a no, I didnt say it would do that. If the service doesnt have to run on the same vhost as the main httpd.a.o site then we could run the service elsewhere in our infrastructure.

>
> Having said that, it would indeed be nice if we could find somewhere on
> infra where this could be hosted, so we could also share the tool with
> other sites wishing to incorporate comments in their system.
>
> > Thanks!
> >
> > Rainer
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: docs-unsubscribe [at] httpd
> > For additional commands, e-mail: docs-help [at] httpd
> >
> With regards,
> Daniel.
>

--

Cheers,
Tony

---------------------------------------------------------------
Tony Stevenson

tony [at] pc-tony // pctony [at] apache // tony [at] caret
GPG: 1024D/51047D66
http://blog.pc-tony.com
---------------------------------------------------------------
Attachments: signature.asc (0.23 KB)


rumble at cord

May 23, 2012, 12:34 AM

Post #6 of 6 (347 views)
Permalink
Re: Comment system, take two [In reply to]

On 05/23/2012 09:15 AM, Tony Stevenson wrote:
> I said running php on the main webservers would very likely with a no,
I didnt say it would do that. If the service doesnt have to run on the
same vhost as the main httpd.a.o site then we could run the service
elsewhere in our infrastructure.
Sorry, yes, what I meant to say was that hosting on httpd.a.o would
likely be a no, which is completely fine, as it doesn't need to be
hosted in any specific location. I've talked to Joe this morning about
the possibility of setting up a place within the Apache space for
hosting it in the future, once the remaining kinks have been sorted out.
I'll keep people apprised of how this progresses.

I've also updated the wiki entry on the comments proposal (
http://wiki.apache.org/httpd/DocsCommentSystem ) to reflect the changes
going on.

Last but not least, I've rolled out the system to the entire trunk (so
there's no more "comments disabled" notices), so let's see how things
work out :)

With regards,
Daniel.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd

Apache docs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.