Jan 03 2009
Yesterday I uploaded the first Foswiki Installer for windows to Foswiki Downloads. It will install Apache 2.2 (if you don’t already have it) and Strawberry Perl and then configure and install Foswiki v1.0.0 beta 3.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Dec 12 2008
In a clear example of TWiki.NET’s new no-testing policy [1], Their star worker has yesterday un-necessarily uploaded over 300 plugins from the wrong branch in Subversion.
Rather than testing each contrib before uploading, as has been the policy on TWiki.org since the Plugins web was created, TWiki.org is now full of buggy, outdated or just plain wrong packages. The only stable option they have is to revert the uploads using rcs - as many plugins are either not up to date in subversion, or worse, are works in progress in Subversion.
Adding that to the latest TWiki 4.2.4 release, which was released with failing unit tests, and some very dubious changes:
we have already submitted to them an updated exploit that is present in 4.2.4 for the CVE-2008-5304 XSS exploit
- presumably they will release 4.2.5 in the next week?
Its a pretty sad time for those of us with users on TWiki (as Foswiki hasn’t released yet), but it has certainly spurred us along, now we need it more than we ever expected.
[1] Tom Barton: issues … impeding progress: an excessively rigorous approach to testing that actually inhibited less experienced developers from contributing code; …
Dec 09 2008
if you’re working or just running Perl on Windows, drop everything, run, don’t walk, to StrawberryPerl. Adam Kennedy has not only made a real Perl for windows, he’s made a _proper_ Perl . One where CPAN just plain works.
Even better, he’s made a Perl that you can use portably, from your USB stick, so you don’t even need to install Perl on your locked down computer.
To learn about his code, I’m building a FoswikiOnAStick distro based on his code, and then I hope to work out how to extend the concept to other platforms.
Aug 20 2008
CPAN, while incredibly useful, can be a pain, if you forget that you need to re-configure it after installing essential tools.
For example, if you make the mistake of setting up a basic, non-development Debian virtual machine, configure CPAN, try to use it, and on seeing ‘make’ errors like (from install Bundle::CPAN of all things) :
Running make test
Can't test without successful make
Running make install
make had returned bad status, install seems impossible
Running install for module Compress::Raw::Zlib
Running make for P/PM/PMQS/Compress-Raw-Zlib-2.012.tar.gz
Is already unwrapped into directory /root/.cpan/build/Compress-Raw-Zlib-2.012
Has already been processed within this session
Running make test
Can't test without successful make
Running make install
make had returned bad status, install seems impossible
Running make for P/PM/PMQS/IO-Compress-Zlib-2.012.tar.gz
Is already unwrapped into directory /root/.cpan/build/IO-Compress-Zlib-2.012
Has already been processed within this session
Running make test
Can't test without successful make
Running make install
make had returned bad status, install seems impossible
cpan>
You install make apt-get update ; apt-get install build-essential…, only to continue to see the same errors wizz past….
CPAN really truly needs to realise that the make settings are mis configured, and tell you.
What you need to do, is to tell your cpan about it by running:
cpan> o conf init
OR, if you’ve not yet messed (configured) up your cpan, install build-essential first.
And while you’re contemplating using cpan, think hard about trying dh-make-perl instead 
Ideally, CPAN should be able to realise that it can’t call make if it does not know where it is - and point this fact out, rather than making it appear as though the package being installed has an issue.
Jul 25 2008
I’ve just updated the Experimental TWiki and Plugins repository. It now contains TWiki 4.2.0 and 212 Plugins, Contribs and Skins that you can simply apt-get install
To use them, add the following 2 lines to your /etc/apt/sources.list
deb http://distributedinformation.com/experimental/ experimental main contrib
deb-src http://distributedinformation.com/experimental/ experimental main contrib
then type
apt-get update
to update the available packages.
you can now see all 212 packages with apt-cache search twiki-
and install (assuming you don’t have twiki installed yet)
apt-get install apache2 twiki
and TWiki Contrib installation is as easy as
apt-get install twiki-bugscontrib
You will still need to use configure to enable Plugins.
Please report your experiences to me - bugs, gripes, you name it - its a work in progress. and I need your help!
Jun 29 2008
I was having a discussion with someone on IRC about how TWiki is vulnerable to Cross-site scripting and Cross-site request forgery, and we realized that there are 2 possible approaches to securing TWiki effectively (both requiring a unique magic number for all URLs):
1. is actually still risky as all scripts still are able to output directly to the browser using a =print= statement, thus giving the user urls that may not have a necessary magic in the url, or similarly for AddOns that persist in not using resthandlers.
whereas 2. abstracts the security from the application server, in much the same way as it is for ssl - goodness all round.
So - I wonder if there is such a proxy already?
There are also massive performance reasons why you should always have a proxy between browsers and heavy application servers like TWiki - this too could do with filling out.Securing TWiki is not as simple as converting all actions to POST (ie using proper REST / HTTP) because there are too many legacy conveniences, allowing GET URL’s to act upon the data. But, by delegating the securing of the transactions to an external wrapper, I think we can avoid these flaws.
see Wikipedia on Cross Site Scripting and Cross-site request forgery
WikiRing founding partner
twiki
wiki