Saving JSON API files on private servers and the security

Question

Saving JSON API files on private servers and the security

tradzik opened this issue 10 years ago · comments

Currently, when I make pull request (adding new community) I usually give a link to JSON API file, which is stored on my webserver. Mentors take a look on my API file (I hope, they take a look) and merge my request.

Let's suppose (hypothetically) I'm bad person. Now about 17 communities' API files are hosted in my domain. I can:

a) remove them all and impoverish FOSSASIA.NET (remove about 1/3 of all communites)
b) edit them to add false data and discredit FOSSASIA.NET
c) edit them adding vulgarisms, insults, etc.

That is UNSECURE solution. FOSSASIA should implement something like API file uploader (I can write it for you as the task on GCI ;) ), which will automatically store API file on server and mark to review by human. Then, after review, it will be automatically written into directory.json file.

Example solution I described above isn't ideal, but better than existing one.

I hope FOSSASIA makes back-ups of API files. If something will get wrong, data will be restorable; otherwise you'll need one more GCI to rebuild your database (and I'm sure will anybody want to do tasks, if he will know his work could get lost...).

I think situation I described couldn't happen anymore. Safety of this system is really low, everything is based on first review by mentor. You/We need to change that.

Andi Bräu · Answer 1 · Sun Dec 21 2014 21:17:10 GMT+0800 (China Standard Time)

one of the central ideas of the API is decentralism.
At the end we want the communities itself to host and maintain their API files.
As an intermediate solution I invite you to copy your files to the API file repository of fossasia: https://github.com/fossasia/fossasia-communities and change the correspondant directory entries.

tradzik · Answer 2 · Sun Dec 21 2014 21:32:54 GMT+0800 (China Standard Time)

I won't do that - to much, pointless, work.

I don't know why you closed this issue, so next question:
What is the first review for (after adding file to dicitonary.json), if
after this operation I can freely change this file?

Sun Dec 21 2014 at 14:17:14 użytkownik Andi notifications@github.com
napisał:

one of the central ideas of the API is decentralism.
At the end we want the communities itself to host and maintain their API
files.
As an intermediate solution I invite you to copy your files to the API
file repository of fossasia:
https://github.com/fossasia/fossasia-communities and change the
correspondant directory entries.

—
Reply to this email directly or view it on GitHub
#48 (comment)
.

Andi Bräu · Answer 3 · Mon Dec 22 2014 01:02:47 GMT+0800 (China Standard Time)

I think you didn't understand what I tried to say: At the end we don't want a central API file store.
Communities should be enabled to host these files on their own, change it on their own and we just fetch the data.
IMO developing a tool for a central storage is pointless work. I just asked you to copy your files to our repository (e.g. for backup purposes), what is just to clone the fossasia-communities-repo, copy your files and commit it. Next step was to replace your url with the github url. 2 simple steps.