Re: Auditing Code (security wise)

Quote:

the pages were to be viewed via say telnet



Do you mean executing the scripts from the command line, as opposed to via HTTP?

I attended a one-day seminar on web applications security last year. I'll dig out my notes and post them.

Topic


Re: ImpressCMS - Team building

  • 2007/12/9 2:25:27
  • herko

My first reaction is: don't make the same mistake I did, and the one that DJ made a thousandfold bigger: organize to get organized.

Teams are a very nice concept, but they have only temporary value. No team I have seen (and I have seen a LOT of teams!) has the stamina to keep working for more then a few months, and that is when it is working at all.
I propose to skip the roll call and name listing games and go right to the heart of the matter: projects.
In stead of creating teams who are responsible for certain sets of tasks (which implicitly means you're excusing everyone else to feel any responsibility for this work!), create projects to get a specific result in a specific way. Then, teams can be formed around these projects, but they'd be temporary and focused. Appoint one project lead who gets the task of making sure that the project is in sync with the rest, and you've got yourself a manageable structure where open collaboration is the standard.
Anyone can start a project, and ask for support from something that manages the assets.

Herko

Tomorrow never comes until it's too late
Topic


Re: ImpressCMS - Team building

My first reaction was '3 months is too short'. The reason being it adds extra time just to reset and make transitions between the 'top man/woman'. Transitions are always unproductive.

I know the intent is to keep the potential for disaster while a particular person is in that seat, but for someone intent on doing things their way, it only takes a matter of weeks to foul things up.

My second reaction was to hold off until the draft proposal has more definition. It has some good principles and if we appear to be acting without consideration for their efforts, our credibility is at risk.

The task groups in this proposal are very close to what the proposal team is moving forward. And that is a good thing, because it deals with the actual work that needs to be done and applying the resources where needed.

A lot is happening and I feel a bit lost at times. A clear vision, as Herko was saying, is definitely higher on the list of things to be done for me.

Actual work processes (ooh, I hate that I just said that) need to be established, because they are not evident in the current XOOPS environment - security reviews and audits, code review and comment, feature/functionality/benefit analysis, testing and quality assurance, transparency and integrity are all major items.

One thing we need to keep in the front of our minds at all times - we judge ourselves by our intentions, others judge us by our actions.



Re: ImpressCMS - Team building

Since we have discussed this together David, of course I agree. Now let's see what our fellow friends have to say about this.

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS


Re: Auditing Code (security wise)

Very nice initiative Vaughan !

Keep up the good work !

And thanks for the links steve.

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS


Re: Want to contribute to ImpressCms

Hi saganxis and welcome here !

Have a read of these forums and start implicating yourself. And tel us know if you have any questions.

Nice to have you here !

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS


Re: ImpressCMS - Team building

Please note - that some of the ideas here are based on work by the [[Draft Proposal Team]]

They are still working on their plans, and I feel more of their ideas should be looked into seriously for consideration.



ImpressCMS - Team building

Please note: This is only a proposal at the moment - but I am hoping that you will think it of merit to consider.

--------------------------------------------------

We have been very privildged to have some extremely skilled people getting involved in this project.

However in the fast paced development of the new core, it's becoming more obvious that we need to start the groundwork on internal teams to manage the different areas of our project.

So far - several people have stepped up to help in different areas ourside of their ususal ones - and I feel that even with "organised teams" - this still is not a bad thing.

So: what teams do we need to work on?

Essentially we need to gather together:


Core Team: We've a large group of talented developers at the moment - and I feel this number could easily rise.

(BTW: I would suggest that anyone who hasn't done so, perhaps completes their "skills" in Sourceforge?)

I'm unsure of exactly the best requirements of this team myself - but I'm sure someone more knowledgable can add this?


Communications, Documentation & Promotions Team:

These would include people to help relay news from the project development, assist in the production of documentation, and with the promotion of the project.

This team would also include members who can assist with the Wiki site.


Community Forum Moderators:

People willing to assist in the community forum. Trusted members would also have the relevent authority to deal with troublemakers.

Module/Theme Repository Team:

Initially just would be needed to ensure modules are uploaded and categoried correctly. However, this team would evolve later to improve classification and quality control testing.

Site Maintainance Team:

At the current time - responsible for the planning and installation of the new site.

At a later stage, this team would be partly responsible for general maintainance - but also work with other teams in improving the sites.

* * * * * * * * *
Gradually we will need to expand and change these teams, as fits a growing project - and depending on the teams requirements. But for the moment, if we start on the essential parts - we will at least have something practical to build from.

* * * * * * * * *

I can see a need for the following areas to be covered:

Translations: core translations

Module Development: an alternative to dev.xoops - I would perhap make the suggestion that we use a seperate sourceforge site - with seperate forums available?

Akitson has done some groundwork on this with his xoopsmoddev.org site - perhaps he would be willing to assist in such a team?

This could also include Module Security testing, as well as Quality testing as well. (Perhaps a certification program?)

Any feedback on this would be appreciated.


* * * * * * *

Project Management

We are aware from personal experience, that having inflexible management structure is not a good thing.

I have been examing many ideas recently - and have discussed the pros and cons with several people - and I feel the simplest methods the best:

1) Each team has 1 "top man" (manager, team leader, whatever you wish to call the title) - who is chosen from within the team by voting.

This "top man" will serve for a period of 3 months.

At the end of this time, another "top man" is chosen - or if the team wishes, the same person can stand again.

2) Each of the "top men" will form a team - which will act as the co-ordinators for us all.

Again - their position will only last for 3 months - or less if situations require it.

3) We don't have an overall "leader" - we have elected people from the ranks - who have to contribute their best.



Re: GoPHP5

I also prefer to use only PHP5 as Marc stated, but i would suggeste leave the first release support PHP4 and for the next major releases focus on PHP5 i have on my servers since months only PHP5 ;)

Predator

- Time is a created thing. To say, "I don't have time" is like saying "I don't want to."
- Lao-Tzu......


Re: Welcome Predator !

Thanks Herko, i had no probs with you in the past ;)

Predator

- Time is a created thing. To say, "I don't have time" is like saying "I don't want to."
- Lao-Tzu......


Re: ImpressCMS Theme

Here's the basic wireframe. I've tested this on IE 6/IE 7/FF 2/Safari 3/Opera 9 all on Windows XP SP2.

If others, on other operating systems could give it a spin and make sure it displays correctly, that would be appreciated.

I figure, the base code we're working on for the iCMS homepage could be the basis for the first new default theme, so I'm throwing in all the block positions initially.

Ana, could you contact me via MSN? I need to talk with you about the graphics. Thanks!

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...


Re: Auditing Code (security wise)

Yes, yes, yes!

There are many tools that may assist us in this effort
* http://phpsec.org/projects/phpsecinfo/index.html
* http://www.nessus.org/nessus/
* http://www.security-database.com/toolswatch/PHP-Security-Scanner-1-2-added-to.html

I am not skilled enough in PHP or JS to spot vulnerabilities, so I can only start with tools like these.



Re: Auditing Code (security wise)

just done a quick audit myself.

well i say quick, but it actually took me well over 2 hrs to complete, and that was only a very basic audit looking for 1 particular issue.

issue i have dealt with today is to make sure that header redirects 'header() & redirect_header' are all exited properly with exit();

not an issue for browsers etc, but if the pages were to be viewed via say telnet then it could become an issue as telnet does not understand header functions, so essentially the header redirect is ignored and the rest of the page will be continued on. exiting the script with exit(); after each redirect will prevent that from happening. it protects from those systems like telnet that don't understand the header redirect function.

nothing tedious, just a simple check.

i'll continue with this as i go along, obviously the more complex coding and vulnerabilities will be beyond my knowledge, but for those that i know about, i'll fix as i go.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Welcome Predator !

  • 2007/12/8 10:59:31
  • herko

Yup, a warm welcome from me too. Pred, I'm not managing this project, so you should feel more at home now

Herko

Tomorrow never comes until it's too late


Re: Welcome Predator !

Wow,.I neglactic one day of viewing this forum and already there is more good news,.Welcome predator, I'm sure I/we will enjoy your presence/skills/views. Yep,.I'm happy;)



Re: Date language other than English

  • 2007/12/8 10:01:24
  • Tom

I'd love to see this option configurable in the admin and also as Dave suggested within the users profile so they can set how they want the date to appear for them personally.

I would also like to avoid what some modules do which allow the date to be set in admin, and that is to simply say to the user go to php.net and figure it out yourself.

Although it's relatively easy to figure out, our CMS targets people who sometimes don't wish to learn php, settings or variables, a cms system is to make it easier to publish information. So with that in mind an admin setting perhaps with a drop down box choosing how it should be displayed.
Or at minimum a simple explanation of the php date settings rather than saying "go figure".



Re: ImpressCMS Theme

That is nice :D

Predator

- Time is a created thing. To say, "I don't have time" is like saying "I don't want to."
- Lao-Tzu......


Re: Date language other than English

I agree that the date/time format should be more easily configurable.

I think it should also be configurable by each user separately.

This may be getting off-topic, but a related issue is that the formatted date/time is constructed in a .php file, which has the side effect that cached blocks such as Recent Topics use the timezone of the last user who caused the block to get cached, rather than the timezone of the current user. It would be better for the .php file to only provide a timestamp to the template, which gets dynamically converted to a formatted date/time.



Re: ImpressCMS Theme

Yes - that's pretty much the idea (different colours per site) I believe



Re: Date language other than English

Quote:


Vaughan wrote:
I've always wondered why the date/time script has to be hardcoded in global.php

could we not put this into a preference setting that will allow users to change this from admin without editing files?

use the php date function etc, i'm not sure if by doing that it would make multilanguage easier in that regard.



Yes, please!