Bug 3596

Summary: RFE: RSS feed of incoming clipart
Product: openclipart.org Reporter: Jon Phillips <jon>
Component: toolsAssignee: default user for a product <clipart>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: lowest    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
URL: http://openclipart.org
Whiteboard:
i915 platform: i915 features:

Description Jon Phillips 2005-06-22 00:51:16 UTC 
It would be great to provide an RSS feed of new SVG's submitted by people. That
way we could have artcasting, right. This would be a great! 

Similarly, we could provide a daily RSS artcast that included a featured clip art.
Comment 1 Bryce Harrington 2005-10-26 23:36:26 UTC 
From a security point of view I think this could be problematic.
Comment 2 Nicu Buculei 2005-10-26 23:50:20 UTC 
This is NOT more problematic compared with the current display of the latest
uploads. The only difference: having it in RSS allow syndication.
Comment 3 Nathan Eady 2005-11-11 10:45:59 UTC 
> This is NOT more problematic compared with the current display
> of the latest uploads.

Removing that was one of the security-related suggestions I had after the
recent security-related outage.  I agree that, security-wise, the two are
equivalent; whether we publish the recently-submitted images that have not
been reviewed and approved in any way via RSS, or simply via standard HTTP,
the risk is the same.  We should decide whether it's a risk we want to take
or not, and make the decision on both accordingly, i.e., either don't publish
incoming at all for security reasons, or else go ahead and have RSS 
syndication of incoming (if someone wants to implement it, a task I am
not volunteering to do).

I tend to think a compromise solution might be better, a system whereby
people who log in with usernames and passwords, so that there is some
accountability, can review incoming images, add or adjust keywords if 
necessary, and approve them, allowing them to then be moved from incoming
to another folder ("new" perhaps) and published from there.  Handing out
accounts for this (note that they wouldn't need to be shell accounts)
rather liberally would still provide better security than just publishing
unreviewed and anonymously-contributed files, because it allows for better
response in the event of an incident, and because the accountability would 
serve as a deterrent for some, and because it raises the bar a little in 
the first place, as an attacker would have to go to the trouble of 
requesting an account.

It does introduce a delay before a contributed item is published, though.
Comment 4 Jon Phillips 2006-09-01 09:35:37 UTC 
This now works at www.openclipart.org/cchost

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.