#927012 libravatar.cgi on bugs.debian.org fails with 500 error

#927012#5
Date:
2019-04-13 14:51:12 UTC
From:
To:
Package: bugs.debian.org

My avatar (and indeed all avatars) are not showing up on bugs.debian.org.

When I tried to access the URL:
https://bugs.debian.org/cgi-bin/libravatar.cgi?email=greenreaper%40gmail.com
I got an 500 Internal Server Error:
---
Internal Server Error

The server encountered an internal error or misconfiguration and was unable
to complete your request.

Please contact the server administrator at owner@bugs.debian.org to inform
them of the time this error occurred, and the actions you performed just
before this error.

More information about this error may be available in the server error log.
Apache Server at bugs.debian.org Port 443
---

I believe my own avatar would normally be obtained from Gravatar.

I checked in #libravatar on Freenode first to see if there was something up
with the service on their end, but they said the cgi script was a caching
mechanism and I should file a bug here.

While the avatar is a minor feature, it is useful for quickly identifying
the participants.

Best regards,

#927012#10
Date:
2019-12-03 08:28:10 UTC
From:
To:
Hi!

This bug has been reported a while ago and popped up again during some
conversation in our IRC channel today.
As the maintainer of libravatar.org, I wonder if I can help somehow to
solve this problem?

Please let me know if I can help in some way!

Kind regards,
 Oliver

#927012#15
Date:
2022-04-07 07:34:40 UTC
From:
To:
FTR; this CGI script was disabled some years ago because it was
overloading the Debian bug servers. There was a plan to switch the
script from CGI to mod_perl but that never happened. As an example of
traffic, yesterday there were 21408 attempted executions of the script.
If anyone wants to work on the script, the source code for it is here:

https://salsa.debian.org/debbugs-team/debbugs/-/blob/master/cgi/libravatar.cgi

#927012#20
Date:
2022-04-07 09:01:13 UTC
From:
To:
Hi all!

I remember the CGI was disabled quite some time ago, but I have to admit, I
never had the chance to engage with the right people to see how we can fix
it.
I understand the script was added in order to provide additional caching,
right?
What about if we change this to directly access libravatar.org and see if
the performance is sufficient? (doesn't address federation...).

There is a very simple libravatar proxy python script:
https://git.linux-kernel.at/oliver/ivatar/-/blob/master/libravatarproxy.py

Note, this doesn't take into account any federation, but that could be
added easily and it's on my todo list.

Since I do have some Perl experience as well, if you want to stick with
Perl, I can also look into the existing CGI and depending on if you want or
not, also add federation.

Point is: I'm very willing to help out to get this running again - for
obvious reasons. :-)

Oliver

#927012#25
Date:
2022-04-07 09:52:28 UTC
From:
To:
To be clear, I'm not the right person, just relaying some info that got
dug up on IRC today when other people noticed the script was broken.

I think it was mainly for privacy; not sending the avatar image
requests to third-party domains such as libravatar.org.

That would presumably work, but there is the privacy issue.

Since the Debian BTS is written in Perl I assume the admins prefer it.

That would be helpful I think.

I also note from looking at the Apache config today that the script
might have already been migrated to mod_perl, but I wasn't sure, so
I'll leave it up to the Debian BTS admins to check and respond and
maybe re-enable execution of the script again.

#927012#30
Date:
2022-04-07 10:39:30 UTC
From:
To:
Thanks for clarifying that - noted!
Libravatar doesn't see the client IPs, but that's all. Currently, what
happens is that the local CGI script is actually called with the mail
address instead of the hash, which I'd see as a bigger issue.

Note that Libravatar has a privacy policy in place:
https://www.libravatar.org/privacy/

Libravatar is a community driven project with a lot of eyes on it and we're
fully committed to stay neutral; Read: We're not going to share or sell
data.

I do understand people are concerned about privacy - I am too and that was
one of the reasons why I stepped in as the core maintainer when fmarier
decided to give up on the project and even added an option to proxy
requests to Gravatar instead of redirecting.

Fair point!

Without digging much into it (esp. because I don't have the relevant
modules + config in place), I'd say the script *should* work; No idea why
it's currently throwing a server error.

Thanks for checking! mod_perl should definitely help a bit to speed things
up, but currently it looks like there is some error and not like someone
disabled the script, but I have no insights of course.

Cheers,
 Oliver

#927012#35
Date:
2022-04-08 00:10:29 UTC
From:
To:
Its about not asking browsers to do third-party requests, which is the
policy for all Debian domains (where possible) and yes isn't a security
issue, but it is a privacy and trust issue.

That issue does need to be fixed yeah, please file a separate bug
report about that issue.

This privacy policy and your practices are different to Debian's, for
example we don't log IP addresses by default, we don't use cookies or
JavaScript by default, we prefer to use static HTML by default, we have
Tor Onion sites, we delete old logs after a short period of time etc.

I expect the Libravatar community is definitely trustworthy in general,
but visitors to Debian websites shouldn't have to review the privacy
policies and trustworthyness of third-parties when visiting our sites.

Thanks for that work, I'm glad Libravatar got rescued!

The script in the git repository has execute permissions, but the
script on the server does not and this is reflected in the server logs.
Other folks on the IRC channel said it has been disabled due to
overloading the server, referring me to previous discussions. 

The Debian BTS admin has confirmed that the script needs fixing:

<dondelelcaro> pabs: yeah, the design of libravatar.cgi needs to be readdressed before it gets renabled

#927012#40
Date:
2022-04-08 04:24:21 UTC
From:
To:
The basic code is working, but we were having performance issues which
is why it was disabled on bugs.debian.org.

I haven't had a chance to dig into exactly why it was failing, though
now that everything is using md5sum of the e-mail addresses, I think the
privacy concerns that were mentioned previously have been addressed.

It's not super high on my priority list to fix, but I'll try to get to
it when I have some time.

#927012#45
Date:
2022-04-08 11:12:20 UTC
From:
To:
Fair point and if that's the policy, it's perfectly fine.

I thought about this again and well, this would actually break the
federation :-{

Again, fair point!

[ ... ]

OK, that explains the server error.

Again, if I know exactly what is requested, I'm happy to help out with my
coding knowledge!

Oliver

#927012#50
Date:
2022-04-08 11:14:16 UTC
From:
To:
When I checked it yesterday, the script was still called with the mail
address !?

Let me know if I can help you in some way, I'm happy to do so if I know
what exactly is required.

Oliver

#927012#55
Date:
2022-04-09 04:07:14 UTC
From:
To:
The script is, but libravatar and gravatar are no longer called with the
mail address; they're all using the md5 of the e-mail address now. [The
script caches responses from libravatar and gravatar and serves them
directly, so there's limited leakage of information on who is visiting a
specific page.]

Thanks! To be honest, I haven't looked at the issue recently, so I'll
have to dig in to see what was failing. [It's probably time to just have
it use mod_perl directly instead of the CGI-based mod_perl.]

#927012#60
Date:
2022-04-14 11:32:01 UTC
From:
To:
Hi!

Yes, libravatar never had the option to query with the plaintext identity
for good reasons.

Again, if there is anything I can do, please let me know!

Oliver