On Sun, Jul 11, 2010 at 2:37 PM, Gour wrote:

This is not good advertisement for Haskell and maybe it's time to deploy more-secure Haskell web apps/frameworks...

As far as I know, haskell.org doesn't run on top of Haskell software. -- Felipe.

begin Gour quotation:

On Sun, 11 Jul 2010 14:40:03 -0300

...

...

...

...

...

> "Felipe" == Felipe Lessa wrote:

Felipe> As far as I know, haskell.org doesn't run on top of Haskell Felipe> software.

That's the point. ;)

haskell.org should work on Haskell software in order to prevent such things.

This change had nothing to do with Haskell versus not Haskell and was not the result in an exploit in MediaWiki. The haskell.org wiki is set up to only allow logged-in users to edit pages. What appears to have happened is that someone created an account named "Buycliamox" and used it to make the edit in question: http://www.haskell.org/haskellwiki/?title=Special:Contributions&target=Buycilamox Now, unless this was a bot-created account, there is nothing that a newer version of Mediawiki would have helped. I believe newer versions either have CAPTCHA/reCAPTCHA built-in or available via a plugin. That could have helped prevent automated account creation, but you still have the problems of hijacked accounts if haskell.org were really a target for such things. I'd go with the most likely explanation in this case and assume that a person created this account and decided to be cute. Being that there is only one active admin on the Haskell.org wiki (User:Ashley Y), I believe the fact that this page is editable by any user is a policy decision to allow the community to contribute. The page could be protected, but then only two administrators could edit it (assuming John Peterson decided to become active again after two years of not working on the wiki): http://www.haskell.org/haskellwiki/?title=Special%3AListusers&group=sysop As for whether or not moving this particular wiki to a Haskell-based solution would be a good idea, I don't see it being a win. I don't know of any Haskell-based wikis that support MediaWiki syntax, so the effort would involve converting all the existing content to some other format. Being that MediaWiki's syntax is the most widespread wiki syntax at the moment, I don't see how that would do anything but make it harder for people to contribute. -md

On Sun, Jul 11, 2010 at 2:28 PM, Mike Dillon wrote:

begin Mike Dillon quotation:

...

Being that there is only one active admin on the Haskell.org wiki (User:Ashley Y), I believe the fact that this page is editable by any user is a policy decision to allow the community to contribute. The page could be protected, but then only two administrators could edit it (assuming John Peterson decided to become active again after two years of not working on the wiki):

    http://www.haskell.org/haskellwiki/?title=Special%3AListusers&group=sysop

As for whether or not moving this particular wiki to a Haskell-based solution would be a good idea, I don't see it being a win. I don't know of any Haskell-based wikis that support MediaWiki syntax, so the effort would involve converting all the existing content to some other format. Being that MediaWiki's syntax is the most widespread wiki syntax at the moment, I don't see how that would do anything but make it harder for people to contribute.

One more thing. On a wiki with active administrators, this user would have been blocked. That hasn't happened. The last block was in August 2009:

   http://www.haskell.org/haskellwiki/?title=Special%3ALog&type=block

If there is not someone regularly watching the wiki at all times, it would probably be prudent to protect some of the higher profile pages once there are more admins able to edit them.

-md

Ashley has made me admin; I've spent the last 1.5 hours deleting all the vandalism and indef blocking the accounts. I have Recent Changes in my RSS reader, so hopefully in the future there will be no greater than 24 hours delay before vandalism is dealt with. A MW upgrade will also help (eg. currently checkuser* seems to be unavailable). * http://www.mediawiki.org/wiki/Extension:CheckUser -- gwern

gwern0:

Ashley has made me admin; I've spent the last 1.5 hours deleting all the vandalism and indef blocking the accounts. I have Recent Changes in my RSS reader, so hopefully in the future there will be no greater than 24 hours delay before vandalism is dealt with. A MW upgrade will also help (eg. currently checkuser* seems to be unavailable).

* http://www.mediawiki.org/wiki/Extension:CheckUser

Thank you so much, Gwern!

On 11 July 2010 20:53, Don Stewart wrote:

It looks like after the Yale machine was repaved, and the mediawiki instance restored, some plugins (and templates) went missing, including those that previously prevented such spam accounts.

A new machine has been purchased this week that will become the primary home for haskell.org, and work is just started to migrate everything to the new machine -- at which point we'll have a *current* MediaWiki for the first time in a long time, new templates etc.

-- Don

Fantastic news! I look forward to it.