TWiki.net Kicks Out All TWiki Contributors

David Gerard noted an interesting story going down with a relatively minor project that has interesting implications for any Open Source project. He writes "Ten years ago, Peter Thoeny started the TWiki wiki engine. It attracted many contributors at twiki.org. About a year ago, Thoeny founded the startup twiki.net. On 27th October, twiki.net locked all the other contributors out of twiki.org in an event Thoeny called 'the twiki.org relaunch.' Here's the IRC meeting log. All the other core developers have now moved to a new project, NextWiki. Is it a sensible move for a venture capital firm that depends on a healthy Open Source community to lock it out?"

You make a good point...

but on the other hand, yes.

Re:You make a good point...

[Ethanol-fueled]

Close_Source==Money, Open_Source==!Money

Fixed it for you. I'm a noob taking a software engineering class at a community college.

We had a consultant come in for show-and-tell and he made some very good points, but he told us to stay away from open source because(shortened version) if we wanted to be well-known in the open source world then we'd have to slog it out full-time, fighting amongst other egos working for free just trying to get our names known.

But how is that different from working on proprietary software? Working on proprietary software earns a paycheck.

Note that the above is not my personal opinion, but after I graduate I won't have any more basements to live in and I will be hungry.

Re:You make a good point...

I will let you in on a little secret. I went to a division III college in a small town. The people I ended up graduating with in computing mostly had trouble finding jobs and those that did seemed bored by them, mostly working in insurance, accounting, etc. They were taught VB, Java, and Cobol in school, but not necessarily how to think like a programmer.

I ended up going back to school at a much larger school, and getting a degree in an analytical field, which has a piece of open source software that I use at my job regularly. I have contributed my time and efforts to improving this project because I use it and need those improvements, and it helps others. I do this during work sometimes, but often times at night. I do this because I *like* it. I have no conceptions of making a name for myself.

And now I've just switched cities and had to find a new job. It's tough for a lot of people. Guess what? During the interviews, it comes up that I actually enjoy programming, contribute to this project, and generally have a good understanding of programming. I've had three offers this month already, in a tough economy.

The point? It's much easier to find work when you are passionate about what you're doing, as many open source authors are. It's not cause and effect, it's correlation. Those who are working on open source tend to be those who really enjoy programming, and that is of course correlated with being good at it. I would not listen to anyone who told me to 'stay away' from it if I enjoyed it, that sounds like a pathetic person.

Re:Personal crap.

[larry+bagina]

so she's available?

Wrong logs

[nuddlegg]

The logs in the posting above are not so interesting. If you need the logs of the way this was communicated to the TWiki community then have a look at http://twikifork.org/pub/Fork/TWikiReleaseMeeting2008x10x27/twiki_release_2008_10_27.log

Re:Twiki blows

[Ed+Avis]

I think the most serious criticism of TWiki is its poor security track record. I used to run a site, until it was compromised by a widespread exploit uploading a PHP file as an attachment, which TWiki then saves in a directory served directly by Apache - so an attacker can upload any program he wants and it runs with privileges of the web server. In my case, it was a rather handy remote administration tool that lets you alter any file on the system (that's writable by Apache) and download the contents of /etc/passwd.

OK, anyone could get caught out by such a mistake, but the response of the TWiki developers does not inspire confidence. They added a blacklist of 'bad file extensions' so that filenames ending .php cannot be uploaded. Of course, this falls into the mistake of 'enumerating badness' and leaves you open to the next magic file extension that the developers hadn't thought of. At least in TWiki 2 the problem has been dealt with properly by using a CGI script to serve attachments, rather than leaving them to the vagaries of Apache's configuration (which is great for a website you maintain yourself, not so good for directories where anyone can upload any file with any name).

It appeared that the TWiki developers' security process was purely reactive - kludging in fixes to exploits as they were discovered - and nobody was auditing the code to discover holes before the bad guys do, or just to clean up bad smells that might or might not lead to an exploit later.

Looking at the TWiki code, it's rather a mess and doesn't seem to take the paranoid precautions you need in Perl when running system() and other interaction with the outside world - precautions particularly needed in a CGI program that's meant to be publicly accessible. I am a keen Perl programmer but TWiki is the kind of code that gives Perl a bad reputation.

That said, in an environment where you trust everybody (like a company webserver accessible only on your network) TWiki is a very handy application. I rather like the grungy way it keeps page content in RCS archives; you can hack up scripts to automatically import your existing static HTML pages into the wiki. But if I were installing a new wiki now I would use something else: preferably the kind of wiki that works by generating a set of static HTML pages and updating them on edits. That seems to have the smallest attack surface and the best performance.

Mambo/Joomla anyone?

[Qbertino]

Rule Number 1: NEVER get pissy with the majority of main core contributers. If the project has *any* significance at all, you WILL lose. And for very good reasons (and riddance) too. That's a fact. Learn it.