WWW-Tech Mtg 11/1/95, Rough Notes

Attendees: Les Cottrell, Tony Johnson, Karl Young, Philippe Argouarch, Joan Winters, Kathryn Hennis, Laurie Gennari, John Halperin, Bebo White.

Agenda:

Log File Analysis continued

Les came up with a simple script to get statistics on the number of hits to a SLAC page. Tony enhanced it to provide more detailed information on where (domain) it was accessed from. There were concerns about how much time it could take to do the more full analysis. The decision was to run it under "nice" in order to reduce the impact on others using the server. Whether or not it runs under "nice" may be determined by the number of days it was asked for.

In addition there will be a choice radio button at the top that will ask the user what kind of report they want, i.e. the short or long form.

Tony and Les will merge their forms put them in a sensible place, and make them call the two scripts (also to be put in the right place). John will check the security

Status of WWW Coordinating Committee - Pat Kreitz

This has been formed and letters have been sent to the members. Pat Kreitz is the chair. There are representatives from each division.

CGI Scripts

We agreed that where mailto: is appropriate it should be used instead of other mail scripts. Joan requested that the suggest script points to mailto:. Tony does not know whether this is possible, so suggest/ will be phased out. Joan may need help with a script to patch a set of her files (that access suggest/) accessed from the new SLAC home page.

Bebo will remove unnecessary old mail CGI scripts and look at the sendmail man pages to see how to use the -t option to secure the remaining mail CGI scripts.

Web Security Problems

John raised the question of how we should perfom WWW CGI script security. At the moment, John in his spare times looks at scripts and notifies people of problems in scripts and hopes they fix the problems.

Bebo will catalogue the purpose, and ownership of cgi-bin scripts.

There are problems with the time this takes, and that John may not be skilled at all the languages that people may write scripts in.

Les has a WWW page on writing Secure CGI scripts which we should publicise to people who are starting to write CGI scripts. John and Bebo will provide Les with some pointers to FAQs to do with more on security. Les will put pointers in his "Writing Secure CGI Scripts" page to these references.

Joan will highlight this page in her WWW Resources page.

John expressed his appreciation to Les for fronting the requests for users who want to write new CGI scripts.

Everybody will remove obsolete (probably insecure) scripts from the cgi-bin directory.

Tony and Les will raise the issue of CGI bin scripts and the manpower required to qualify them at the WWW Coordinators meeting.

1996 Budget

Les raised the question of how much money should be budgetted for software for WWW. The types of things we may need are: newer more secure servers (guesstimate $5K), WWW software management, Livewire (~$700) to fix up moving links, a sitewide license for a new Web browser. Things are changing so fast it is very difficult to estimate needs. Les will put some money in his Network budget to try and cover this.

Test WWW Server

Les has raised the question of setting up a test server to allow testing of CGI scripts in a test environment. Such a server could be restarted on a daily basis to clean out dead processes.

Some testing can be done by setting environment variables, running the script, piping the output to a file, and looking at the output with the browser's local file option. However this does not see the same environment (e.g. user id etc.)

There is already a test WWW server at port 5080. Several other options were discussed. It was decided to use the 5080 server as a test vehicle. Les will look at modifying cgi-wrap to use an additional rules file if it is running on the test server.

Status of VM WWW Server

Bebo brought a question from the VM phase out committee as to how long we will continue to need the VM WWW server. There are 3 issues: plain pages; SPIRES pages; SLD has a lot of stuff on VM that is tied to their production system that it is planned to move off within a year. For the plain pages Joan expects the bulk of the pages to be moved when the new SLAC home page goes into production. This is being gated by the Institutional page being ready. Kathryn plans to have this ready by Thanksgiving 1995.

Next Meeting

Next meeting is the 15th of November 1995.

Action Items

AOB

Bebo has a new Web Developer Magazine which he will pass around.

Joan showed her new sparse and dense pages. There was discussion about the use of the Top button which was generally agreed to be a bad idea, since there are other ways to get to the top and bottom of a page (middle button on Motif, Home and End keys on MacOS, Shift-Home and Shift-End on WNT etc.) In lieu of the Style Committee meeting to decide on this, Joan agreed to remove the Top button.


Les Cottrell