Subject: KampalaMeetingLog2015x04x16.txt
Date: April 16, 2015 4:06:42 PM PDT

[3:00pm] HaraldJoerg: Hello Peter
[3:00pm] PeterThoeny: guten abend harald!
[3:01pm] PeterThoeny: what is new?
[3:01pm] HaraldJoerg: I'm still tweaking the PSGI stuff
[3:02pm] PeterThoeny: good stuff!
[3:02pm] PeterThoeny: i went to colorado with my son to check out a university
[3:02pm] HaraldJoerg: The windows standalone .exe file is quite nice, only 8.5MB
[3:03pm] PeterThoeny: what needs to be extra besides the exe?
[3:03pm] HaraldJoerg: data and pub
[3:03pm] PeterThoeny: even perl is included??
[3:04pm] HaraldJoerg: Yep
[3:04pm] PeterThoeny: wow
[3:04pm] PeterThoeny: so no other dependencies
[3:04pm] HaraldJoerg: Ah, templates, locales, working are needed to as directories
[3:04pm] PeterThoeny: sure, twiki files
[3:04pm] HaraldJoerg: No, no dependencies - have to verify on a machine without perl
[3:04pm] PeterThoeny: very small
[3:05pm] PeterThoeny: a single RAW file on my camera is 20mb
[3:05pm] HaraldJoerg: I might need to add a lib directory though, as a place for extender.pl to drop stuff, and for 
LocalSite.cfg
[3:05pm] PeterThoeny: when i do hdr i take three photos resulting in 3 raw + 3 jpg files
[3:05pm] PeterThoeny: total 75mb for one shot
[3:06pm] HaraldJoerg: Nice 
[3:06pm] PeterThoeny: an early laptop i bought had a 20mb hard disk
[3:06pm] PeterThoeny: with compression i got 40mb out of it, wow 
[3:07pm] HaraldJoerg: Compression is a key to get the TWiki executable small, too
[3:08pm] PeterThoeny: what about installing addiional plugins?
[3:08pm] HaraldJoerg: Yes, that's why I want to add an extra lib directory outside the executable
[3:08pm] HaraldJoerg: For adding stuff, and for LocalSite.cfg
[3:09pm] PeterThoeny: so the exe has standard plugins compiled in it, and can handle new perl plugins?
[3:09pm] PeterThoeny: sounds like magic
[3:10pm] HaraldJoerg: It has the default plugins compiled in. I haven't verified yet that new plugins can be added.
[3:10pm] PeterThoeny: that would be really cool
[3:10pm] PeterThoeny: time check: +10 min
[3:10pm] HaraldJoerg: Yes, for a personal TWiki there's no concern about security... you're shooting your own foot only 
if something goes wrong
[3:11pm] PeterThoeny: i have not heard from hideyo-san
[3:11pm] PeterThoeny: shall we start?
[3:11pm] HaraldJoerg: Fine!
[3:11pm] PeterThoeny: we can do informal meeting if you wish
[3:11pm] PeterThoeny: a simplesync meeting
[3:11pm] HaraldJoerg: That's ok
[3:12pm] PeterThoeny: topics i'd like to cover: your psgi stuff
[3:12pm] PeterThoeny: - IfThenActionPlugin
[3:12pm] PeterThoeny: do you have anything else?
[3:13pm] HaraldJoerg: Not really... Maybe I'll submit a feature request or two within the next weeks
[3:13pm] PeterThoeny: ok
[3:13pm] HaraldJoerg: 1) Allow login names to be case-insensitive
[3:13pm] PeterThoeny: sounds good
[3:13pm] HaraldJoerg: 2) Crypttoken is an incredible annoyance with mandatory form fields
[3:14pm] PeterThoeny: related: web.topic names to be case-insensitive
[3:14pm] HaraldJoerg: If you miss a field, the help text says "go back in your browser", but you then can't save, and 
copy/paste doesn't work on form fields at all
[3:14pm] PeterThoeny: what is the problem with crypt token?
[3:14pm] PeterThoeny: oic
[3:14pm] PeterThoeny: yes, is annoying
[3:16pm] HaraldJoerg: I would not want to use case insensitive webs right now
[3:16pm] PeterThoeny: a simple workaround is to make the crypt token configurable: off (existing), on for whole user 
session (new), on for single request (existing)
[3:17pm] PeterThoeny: the second option could be a reasonable security level for most deployments
[3:18pm] HaraldJoerg: I'd rather find a process for Oops pages to allow re-use of the previous crypttoken
[3:18pm] PeterThoeny: yes, that is a clean solution
[3:19pm] HaraldJoerg: This still doesn't cover the back button for "quick typo fixes" of a page I just saved
[3:20pm] PeterThoeny: which is a very natural and common thing people do
[3:20pm] PeterThoeny: hence annoying
[3:21pm] HaraldJoerg: Yes, especially on large topics. I use an external editor for these (It's all text, a firefox 
plugin) which works perfectly for the back button, but of course opens a new edit session if I hit "Edit" again
[3:21pm] PeterThoeny: could be solved by retaining the crypt token on a per user per topic per edit reprev time level
[3:22pm] HaraldJoerg: Yeah, but in this case distinguishing "planned" from "malicious" actions is extremely difficult
[3:23pm] PeterThoeny: well, if you tie to logged in user it is less likely to be abused (although does not guard against 
xss exploits)
[3:23pm] HaraldJoerg: I thought the crypt token is against XSS exploits?
[3:24pm] PeterThoeny: yes
[3:25pm] PeterThoeny: actually, it would be vulnerable by man in middle that highjacks the user session
[3:26pm] HaraldJoerg: There's not much TWiki can do against a man in the middle who forges the body of a save request
[3:26pm] PeterThoeny: adding a time limit (such as $TWiki::cfg{ReplaceIfEditedAgainWithin}), and tying user and topic 
to crypt token would be a reasonable security level i think
[3:27pm] PeterThoeny: back to psgi exe, on what windows versions does it run?
[3:28pm] HaraldJoerg: I'd produce it on 32-bit Windows 7
[3:28pm] HaraldJoerg: I have no idea how robust pp is for new Windows versions
[3:29pm] HaraldJoerg: But I can kindly ask family members to lend me their nifty win8.1 tablets 
[3:30pm] PeterThoeny: 
[3:30pm] HaraldJoerg: Windows tables seem to have 32bit OS, therefore I didn't use 64bit Perl for that
[3:30pm] PeterThoeny: and i can test on an ancient xp
[3:30pm] PeterThoeny: though i doubt it will run
[3:30pm] PeterThoeny: anyway not useful on xp
[3:31pm] HaraldJoerg: I doubt that XP will do, there's to much changes in the OS interfaces.  You'd need to produce 
it on Windows XP.
[3:31pm] PeterThoeny: in any case, replacing the 8 year old TWiki-WP-4.0.5 is good
[3:31pm] HaraldJoerg: The most time-consuming part is building a TWiki release
[3:32pm] HaraldJoerg: I ran through the official procedure and it included a SVN checkout twice... so two times 40,000 
files over the wire
[3:32pm] PeterThoeny: can't you base it on the twiki zip?
[3:33pm] HaraldJoerg: Theoretically yes, but I need a few patches which are only in SVN
[3:33pm] HaraldJoerg: (and in 06.00, I think that's complete now, too)
[3:34pm] PeterThoeny: i think for a distro it is better to base it on the latest distro, e.g. twiki-6.0.1
[3:34pm] PeterThoeny: but your call
[3:35pm] HaraldJoerg: Yeah, 6.0.1 plus patches would be possible, too
[3:35pm] HaraldJoerg: I might need more patches for the extender
[3:35pm] PeterThoeny: yes
[3:36pm] PeterThoeny: the IfThenActionPlugin is now pretty complete
[3:36pm] PeterThoeny: http://twiki.org/cgi-bin/view/Plugins/IfThenActionPlugin
[3:36pm] HaraldJoerg: Nice
[3:36pm] PeterThoeny: if actions: register. save, upload, view
[3:37pm] HaraldJoerg: Adds some automated workflow capabilities
[3:37pm] PeterThoeny: then-actions: email, setformfield, touch, view, viewdaemon
[3:37pm] PeterThoeny: the source and target fields now support twiki variables, e.g. you can do pretty much any 
conditional stuff
[3:38pm] PeterThoeny: in the source you can do a condition, if you want to action output a web.topic (or topic list); 
if you don't, don't output anything
[3:38pm]  HaraldJoerg left the chat room. (Read error: Connection reset by peer)