PDA

View Full Version : [SITE] Source code



Ikani
07-31-2012, 01:07 AM
What are the site's views on open source code? Some of us are curious to look under the hood and make sure the engine is in top shape, and offer assistance if it's not. :) And barring that, making it available to those that specifically offer help in that area?

Taw
07-31-2012, 04:17 AM
As far as I know, our source code will not be open source.

Personally, I don't see a reason for our code to be public at all, as many other websites don't have their code public. I understand that collaboration can be nice on things (since we already collaborate as a team on decisions and such for the site, for example), but I think we're fine in that regard. If we ever needed our code to be tweaked or keep it in top shape, I'm sure we'd look into bringing additional coders to the team. Just my thoughts on the whole thing.

Ikani
07-31-2012, 11:57 AM
I would disagree that "because no one else does it" is a good reason, but I can totally understand keeping the collaboration pool limited.

Along the same lines, what are your plans for security audits? Security is where a lot of other sites are lacking, so it's a bit of a focus for me.

Sorry I'm probably gonna have a bunch of technical questions on things. :) I'm a Sysadmin by trade, and it looks like you guys have a decent setup AND a decent community, so I want to make sure things get off on the right foot. :)

oneandonly
07-31-2012, 12:16 PM
I would disagree that "because no one else does it" is a good reason, but I can totally understand keeping the collaboration pool limited.

Along the same lines, what are your plans for security audits? Security is where a lot of other sites are lacking, so it's a bit of a focus for me.

Sorry I'm probably gonna have a bunch of technical questions on things. :) I'm a Sysadmin by trade, and it looks like you guys have a decent setup AND a decent community, so I want to make sure things get off on the right foot. :)

If I remember right, a large part of Weasyl spawned off because of lack of security in other sites. It has been one of the main points in getting people to join the site.

piņardilla
07-31-2012, 02:10 PM
If I remember right, a large part of Weasyl spawned off because of lack of security in other sites. It has been one of the main points in getting people to join the site.

Which is why it would be good for the code to be open-source, so that users themselves can satisfy themselves that the code is secure, and if they find something that seems to be a vulnerability, they can call the admins' attention to it.

I can understand not wanting other sites with more established userbases to be able to just rip off the code here though. Weasyl would be putting its competitive edge at risk.

Ikani
07-31-2012, 08:57 PM
I don't know that completely public disclosure of the source code itself is needed to prove security, but public audits is definitely not a bad idea. In fact, it's very likely that those "audits" will happen with or without the permission of the admins. This is where just about any security vulnerability has come up with, say FA for example. Just hiding a problem doesn't help, because it becomes a challenge to find these problems.

Audits aren't something that need to happen immediately, of course, but as soon as reasonably doable is good, and most definitely before the site opens to the general public.

I refer to this post about password hashing: http://blog.cryptohaze.com/2012/07/a-call-for-password-algorithm-disclosure.html

You guys have a lot of neat ideas. And I see a lot of things from when Ben was helping with Blue Taboo. It's nice to see some of that come to fruition. :)

Kihari
07-31-2012, 11:26 PM
While Weasyl's code won't be available to the public (or to anyone whose responsibilities do not require access to it), there is indeed a value in disclosing certain types of information. Since Inaki asked about password storage, I will mention that our current system verifies passwords based on two hashsums of the form:

hash_forward = SHA1(salt_unique_to_user + key_stored_in_code + user_entered_password)
hash_reverse = SHA1(salt_unique_to_user.reverse() + key_stored_in_code + user_entered_password)

With that said, I've before figured out the hard way that home-grown solutions aren't always the best bet, and also recently learned that py-bcrypt (http://code.google.com/p/py-bcrypt/) was a thing, so there's that.

Ikani
08-01-2012, 12:22 AM
Aha! This is the kind of technical answer I was looking for. :) (Also yes, bcrypt is good!)

In fact ya. Checking with some security friends of mine, I would highly recommend the bcrypt route.

Aerdan
10-03-2012, 12:29 PM
Aha! This is the kind of technical answer I was looking for. :) (Also yes, bcrypt is good!)

In fact ya. Checking with some security friends of mine, I would highly recommend the bcrypt route.

Instead of using bcrypt, consider using pbkdf2 (e.g. python-pbkdf2); it is more secure than bcrypt.