Security topics

[Webdongle]

I see many modifications, page changes and new pages concerning security with Joomla. None of these have been made by the Moderators of the security forums and some are doubtful to their accuracy.

An example:
http://docs.joomla.org/Security_Checkli ... issions%3F The edit restrictions were removed 13th last month. Surely only the moderators of the security forums should make such changes.

120.JPG

mandville and PhilD have worked hard on the security pages to make sure the wiki docs were consistent to the advice given in the forum. For someone to change the edit permissions with a comment of 'Removed protection from "Security Checklist/You have been hacked or defaced": hmm, don't know why this was protected' ... shows that the person making the edit has no idea of the necessity to keep those pages accurate.

This brings the validity of the persons edits into question and may have significant ramifications in the Joomla security forums. With users pointing to incorrect information in (the wiki) to contradict what mandville and PhilD advice.

[Chris Davenport]

I understand where you're coming from but wiki pages are meant to be edited by anyone and the idea of restricting certain pages to certain groups is counter to that philosophy and isn't fully supported by the wiki software.

It's perfectly fine for someone or some group to take on the responsibility of maintaining a page or groups of pages, but that should never really be considered an exclusive privilege. Wikis work best when everyone can incrementally improve the content. Any pages that someone wants to curate should be added to their watch list so that they get notified when any changes are made and they can respond appropriately. Discussion about an edit or a proposed edit should take place on the talk/discussion page for the page concerned (and incidentally not on the users talk page as I've seen happen recently).

The primary purpose of the "protect" feature is to prevent certain high profile pages from being edited by spammers. I think it's perfectly fine for pages on security topics to be added to the protected pages list if that's what the security forum moderators want, but they need to be aware that the wiki doesn't stand still and the wiki administrators are always trying to improve the presentation, organisation and navigation of content within the wiki and that will naturally include the security pages.

If the security forum moderators want to protect a certain page they can easily contact myself or any of the wiki moderators to have that done. I haven't checked, but they might even be able to do it themselves.

But if they want absolute control over the security pages then they should move them to another platform as the wiki is not a suitable place for such content.

Regards,
Chris.

[Webdongle]

... I think it's perfectly fine for pages on security topics to be added to the protected pages list if that's what the security forum moderators want, but they need to be aware that the wiki doesn't stand still and the wiki administrators are always trying to improve the presentation, organisation and navigation of content within the wiki and that will naturally include the security pages.

But for someone to remove the protection is a separate issue to organising the wiki. Also for someone to re organise specific topics (without knowledge of that subject) is a recipe for disaster.

...
If the security forum moderators want to protect a certain page they can easily contact myself or any of the wiki moderators to have that done. I haven't checked, but they might even be able to do it themselves.
...

They obviously either contacted you or set them themselves ... (How else were they set that way in the first place ?!).

...
But if they want absolute control over the security pages then they should move them to another platform
...

If they do that then are they not risking being accused of self promotion ?

...
as the wiki is not a suitable place for such content.
...

This highlights what has been said by many for a long time ... docs.joomla is not official Joomla documentation.

[mandville]

One of the recent changed without notice was
* renaming the page,
* removing the protection
* making it a 'series of articles' where as its always been part of the checklists. Are the checlkists now all articles?
* apparently phild and myself no longer have access to edit checklist 7.
as for the discussions on user pages, i would love it to be done on the topic page.
regarding the off docs situation, that is something you are aware off [and your team should be] and why these checklists ended up on the doics in the first place.
I believe it is now being progressed/expidited by Sander.

[Webdongle]

Due to the facts that some of the pages(about security) in the wiki can be edited by 'everyone and their dog' ... and that other pages (about security) in the wiki can no longer be edited by the moderators of the security forums ... then the wiki pages should contain a warning at the top of each page.

...

Perhaps the security documentation should be in a sub domain of Joomla.org. And editing access only allowed to members of the JSST ?


Edit
Removed quote

[mandville]

i would and should add that i understand the evolving nature of the wiki pages, could the plans for it be placed in open forum for discussion?

[PhilD]

@webdongle

I have no idea what your going on about with security moderators not being able to access certain wiki doc pages such as the checklist 7 and the VEL page. I have been able to access and edit these pages if so desired on a daily basis at all hours day and night. It is possible that a backup process or a sysop needed to do put a tmp lock on a page that happened to coincide with an edit attempt. This would only normally have lasted a short time though.

All people accessing the wiki pages are also able to access the pages for reading and use as before.

I would appreciate it if you edit your recent forum posts and remove or alter to reflect that the security administrators do have access to the pages as we always have and not continue to post that we do not.

Also the wiki documentation is not official Joomla documentation. Please see http://forum.joomla.org/viewtopic.php?p ... 6#p2930936 the Moderators of the Joomla security forums no longer have access to the wiki security pages. And are complaining that the information has been mixed around.

Everyone:

Both mandville and myself are capable of protecting or unprotecting the security page(s) and the VEL page at any time without having to bother anyone else. We are also capable of reverting changes to the pages to a previous state. This does not mean we are the only ones capable of doing this. Other admins and sysops may also do this.

I am not a fan of protecting wiki pages as it violates what a wiki is, but it has been shown in the past that unfortunately certain "high profile" pages need protections added.

I am going to go over a number of things recent and past that hopefully will clear up some misunderstandings by everyone.

It was previously agreed at mandvilles and my request that two pages (checklist 7 and the VEL page) could be under the control of a small group in order to maintain the integrity of the VEL and to maintain the safety of websites in the case of the checklist 7. This was agreed to by Chris Davenport, mandville, PhilD.

All admins and sysops continue to have access to these pages it is understood that changes to the content of these two pages would normally be made by mandville, PhilD or lafrance and not other admins unless under an emergency. I was never under the impression otherwise. This was agreed to and has been in effect for quite some time now on these two pages. The agreed upon members allowed to make content edits to the pages are mandville, PhilD, and lafrance with the expectation that other admins and sysops also had access. All three people are security moderators and this has worked well.

There was never to my knowledge any agreement to never ever change the title, location of the pages within the wiki or not reformat the page layout, or never add additional menus. Nor was there an agreement to exclude other admins or sysops.

The reasons why the pages are protected from editing by non admins:

The VEL has to maintain integrity and trust, both for the end user and for developers. Imagine if anyone could edit the VEL page and post what may be a false report for an extension. How would you feel if you were the developer being attacked in such a way? Also, imagine an end user checking the VEL and a developer not liking his insecure extension on the VEL removes it or alters some of the info. Now someones site remains hackable through this insecure extension that was altered or removed. How would you feel if you lost well paying clients because of this? In both cases who do you think is going to get the blame for not securing the info in some way to help ensure the Now the VEL page is useless to all if this is allowed to happen. It is also why it is guarded rather well by mandville and myself.

The checklist 7 (Security Checklist/You have been hacked or defaced) has one line shell scripts that can easily be altered to delete everything when run. These scripts have been altered in the past, though they were only broken. While the checklist 7 is monitored closely, someone could accidentally delete their site by running an altered script before we discover (are automatically notified of a change) the alteration and have time to revert the page. How would you feel if you ran a script only to have it delete your hard work or delete a site you were helping fix? Who would you blame? Who would they blame?

The only recent issue as I saw it as far as page protection went was that Hutchy68 did not initially understand why there was protection on the pages and removed it. This would be a normal reaction as wiki pages are not normally protected. Once I explained why the protection was in place the protection was placed back. An additional warning against editing the VEL was also added ( it is only visible to persons that can edit protected pages) so there would be no future misunderstanding about who to contact about the VEL page and as a reminder to those who have permissions to edit protected pages.

The other recent issue was the unannounced editing of certain pages which naturally triggered both mine and mandvilles initial actions or reactions. This has been taken care of at least as far as I am concerned me as I have been in contact with the person making these approved changes to explain our position and in return he has explained some of the reasoning behind the changes that are necessary.

The discussion page on the VEL was locked by someone.
Who or why, I don't know. At the time of being locked some comments or suggestions on VEL discussion page suggesting ways of improvement were deleted from the discussion page. The discussion pages (even on protected pages) should never be locked and if anyone finds any that are please let me know so I can fix this.

Issues have also recently arisen when a redesign of the wiki docs was undertaken.
Communication could have been better initially. Because it was not communicated properly, mandville and I responded to the alterations of the pages in what I would call a proper matter and reverted the changes and so on. It also caused some confusion with regular users, but old links still work and redirect properly to the proper new pages.

I have made the suggestion to Hutchy68 ( and Chris also to you) that we create some sort of wiki page as a kind of roadmap for the changes so anyone can see what is going on and what will go on.

I think this may help during the 'construction' phases.

Overall people (including me) are liking the new stuff, and are making good comments on it. People have started new article series and are using the new format and template calls to put it together. This in turn has integrated it automatically into the proper landing page with version specific information included.

As it stands now this is the raw stuff I have as far as what is going on. I think this is basically correct.

* The plan is to make the Doc Wiki more organized and easier for users(new and experienced) to find information quick and logically.

* A couple of clicks off the main page, navigational boxes for articles in a series, like topics grouped(such as Administrator, Extensions, Development) are some examples.

* Better landing pages with links to other pages,
* template integration for easier transclusions
* and automatic page information about Joomla! version specifics.

* the categories are now down to 11 uncategorized categories.

* The Top Level category will always be uncategorized.

* pages are being put into categories. There are a lot of them without categories still which makes it hard to find them and list with DPL calls on Landing pages.

* It would be nice for each Working Group to have its own Landing page on the wiki, like http://docs.joomla.org/Documentation_Working_Group.

* Security should have a working group also.

I hope this clears up some of the misunderstanding on both sides of this issue.

[Webdongle]

@webdongle

I have no idea what your going on about with security moderators not being able to access certain wiki doc pages such as the checklist 7 and the VEL page. I have been able to access and edit these pages if so desired on a daily basis at all hours day and night. It is possible that a backup process or a sysop needed to do put a tmp lock on a page that happened to coincide with an edit attempt. This would only normally have lasted a short time though.
......

Not according to mandville

...

All people accessing the wiki pages are also able to access the pages for reading and use as before.

I would appreciate it if you edit your recent forum posts and remove or alter to reflect that the security administrators do have access to the pages as we always have and not continue to post that we do not.

How can the security(or any wiki) pages be 'official' when everyone and their dog is allowed to edit them

There also appears to be a mismatch with some open for all to edit with others(according to mandville) are lock from her.

...
All admins and sysops continue to have access to these pages it is understood that changes to the content of these two pages would normally be made by mandville, PhilD or lafrance and not other admins unless under an emergency. I was never under the impression otherwise. This was agreed to and has been in effect for quite some time now on these two pages. The agreed upon members allowed to make content edits to the pages are mandville, PhilD, and lafrance with the expectation that other admins and sysops also had access. All three people are security moderators and this has worked well.

There was never to my knowledge any agreement to never ever change the title, location of the pages within the wiki or not reformat the page layout, or never add additional menus. Nor was there an agreement to exclude other admins or sysops.
...

...
I am not a fan of protecting wiki pages as it violates what a wiki is, but it has been shown in the past that unfortunately certain "high profile" pages need protections added.

I am going to go over a number of things recent and past that hopefully will clear up some misunderstandings by everyone.

It was previously agreed at mandvilles and my request that two pages (checklist 7 and the VEL page) could be under the control of a small group in order to maintain the integrity of the VEL and to maintain the safety of websites in the case of the checklist 7. This was agreed to by Chris Davenport, mandville, PhilD.

All admins and sysops continue to have access to these pages it is understood that changes to the content of these two pages would normally be made by mandville, PhilD or lafrance and not other admins unless under an emergency. I was never under the impression otherwise. This was agreed to and has been in effect for quite some time now on these two pages. The agreed upon members allowed to make content edits to the pages are mandville, PhilD, and lafrance with the expectation that other admins and sysops also had access. All three people are security moderators and this has worked well.

There was never to my knowledge any agreement to never ever change the title, location of the pages within the wiki or not reformat the page layout, or never add additional menus. Nor was there an agreement to exclude other admins or sysops.
...

But that is the point there were changes made by other than(in your own words) "The agreed upon members"

With mandville posting she has no edit access to some of the security pages ... yet other security pages being editable by everyone and their dog ... and some security pages being moved around by a non member of the security team ...
Then the wiki docs can not (by any stretch of the imagination) be called official.

[mandville]

At the time of checking i could not alter checklist 7. i have not tried with vel again yet

[Webdongle]

At the time of checking i could not alter checklist 7. i have not tried with vel again yet

In your Before you post : read and action this you link to http://docs.joomla.org/Security_Checklist_7
which is redirected to http://docs.joomla.org/Security_Checkli ... or_defaced

But there is also http://docs.joomla.org/Checklist_7/ it is editable by all

Could this be part of the confusion ?

In the wiki a page with a trailing slash is treated as a separate page to one of the same name that does not.

[PhilD]

At the time of checking i could not alter checklist 7. i have not tried with vel again yet

In your Before you post : read and action this you link to http://docs.joomla.org/Security_Checklist_7
which is redirected to http://docs.joomla.org/Security_Checkli ... or_defaced

But there is also http://docs.joomla.org/Checklist_7/ it is editable by all

Could this be part of the confusion ?

In the wiki a page with a trailing slash is treated as a separate page to one of the same name that does not.

Agreed upon members never excluded admins or sysops from editing. Only general registered wiki users were excluded. There is/was an agreement that some security pages or pages that fall under security, could be protected from changes by registered wiki users and that in general only the forum security mods would make changes to content.

Protecting pages is contrary to what a wiki is, but it is recognized by the sysops that some pages may have to have some restrictions placed upon them.

Wiki is an open format that all registered users can contribute to. It is necessary in security to protect some pages for the safety of those using them as I have outlined. Most of the security pages are open to all registered wiki users for editing.

The page(s) causing your confusion were created by mandville back in February. Maybe she can explain why this was done. Perhaps it was intended as an updated page layout at that time.

[Webdongle]

I understand that some consider wiki docs to be official and want the docs to be available to all. And yes I understand the philosophy of wiki. It is just that IMHO that having an open edit policy and having official documentation are mutually exclusive. To say something is 'official' and still allow anyone to edit is an oxymoron.

Here are a few examples of wiki docs about security ... that can be edited by everbody and their dog.
http://docs.joomla.org/Security_and_Performance_FAQs
http://docs.joomla.org/Security_Checkli ... ng_Started
http://docs.joomla.org/Security_Checkli ... rver_Setup
http://docs.joomla.org/Top_10_Stupidest ... tor_Tricks
http://docs.joomla.org/Htaccess_examples_%28security%29

You will notice the the 'Check list' that was ordered 1-7 has been renamed(in most cases) to an article. Surely the 'Check list' was in a specific order for a specific reason. And therefore by removing the progression 1-7 defeats the purpose of systematically checking the security !!! The order of the list was essential and the effectiveness of it has been dissipated.

You will notice that one of the links is to a security page about .htaccess. And I'm sure you realise the serious consequences if ... anyone and their dog ... posted wrong information there and the advice was followed. That is why I say that the security pages are not and can not be considered official.

Those are just 5 examples and there are at least 20 more. Therefore I stand by my statement that security pages are not official documentation. I will however concede that there are some security pages that are locked and they are official documentation. Yet how is the average Joe user to know which documents are official and which are written by everyone and their dog ? By looking to see what they can edit


The wiki treating urls with a trailing slash as a separate page to one without ... has caused quite a bit of confusion in the wiki before.

[PhilD]

I'm sorry, but other than your referrals to "official" for the wiki documentation where does it state it is? Because the wiki docs is an official site? The wiki is documentation written by people who know certain subject matter and would like to share that knowledge. Overall the documentation with all the warts is pretty good and is going to be about as "official" as your going to get under open source documentation. They are just trying to remove some of the warts.

wiki articles can be created by anyone who cares to register on the wiki site. As I understand it, if an new article is not categorized by the creator at time of creation, it goes in uncategorized (as it always has) and will be categorized by a wiki editor, admin, sysop as they see fit.

Older or existing articles are being re categorized and retitled where necessary in order to assist with bringing some order to chaos. If you see what you feel is improper structure let us know about it. As far as the checklists go, they are being replaced with pages that have more descriptive names, but the order is still basically the same. The order is listed in the menu box titled "Articles in this series" The new names basically drop the Security Checklist #xx from the name . So for example - Security Checklist 2 - Hosting and Server Setup becomes a more descriptive Security Checklist/Hosting and Server Setup. It still appears in order.

With the possible exception of http://docs.joomla.org/Htaccess_examples_%28security%29 I don't see where any pages you list need to be locked from normal editing by registered wiki users.

[Webdongle]

Still methinks that having security documentation in the wiki ... with some pages locked and others open for edit ... is confusing to the average Joe user. And that having a separate place for security documents would be preferable. But what do i know, I'm just a talent amateur that enjoys using Joomla. And you are a moderator ... so you are write and I am wrong.

btw
It is good to be able to express ones opinion, thanks.

[Webdongle]

http://docs.joomla.org/Cleared_vulnerable_extensions

Is it a good idea for that to be available for edit ? Any developer or well wisher can edit it and say an extension has been cleared.

[Chris Davenport]

It hasn't been updated since April 2009. Is there any reason not to simply delete it?

Chris.

[Webdongle]

... Is there any reason not to simply delete it?
....

Much easier for fixed extensions to be edited as fixed in the VEL methinks. But isn't that a question that you should be asking the security team ?

[PhilD]

protected and done to match rest of VEL documents, ask mandville about deleting