Drupal.org is still running the site_network module, which provides support for the legacy, insecure, XML-RPC based (pick any of those three sins) Drupal authentication scheme.

It seems that we can disable this completely now. This scheme is very seldom used now:

$ ls */transfer.log-20100928.gz | xargs -I% -P4 zgrep -cH "http://drupal.org/xmlrpc.php.*Drupal" %
www1/transfer.log-20100928.gz    2870
www2/transfer.log-20100928.gz	2813
www3/transfer.log-20100928.gz    0
www4/transfer.log-20100928.gz	2836
www5/transfer.log-20100928.gz	5832
www6/transfer.log-20100928.gz	5814
www7/transfer.log-20100928.gz    5726

We receive only about 25,000 XML-RPC requests a day, most of them I guess not being Site Network requests.

Comments

gerhard killesreiter’s picture

gerhard killesreiter commented

I am in favour of disabling it, but we probably should make an announcment about this and set a deadline (end of this year?).

drumm’s picture

drumm
he/him
Location NY, US
commented

Are we logging where these 25,000 XML-RPC requests per day are coming from? We can go to the source and notify them, instead of making a bunch of noise that might not be read by the right people.

damien tournoud’s picture

damien tournoud commented

Actually, awstats tells us that xmlrpc.php was visited 248961 times in september, so it seems I accidentally grepped a high load day. Real usage is more around 9000 a day and most of those are actually from a host in Moscow (apparently hosting drupal.ru).

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

A start at an announcement - http://drupal.org/node/926664

Feel free to rewrite but I feel it doesn't hurt to get the message out early.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Also, once we post to the front page I suggest disabling the module for an hour to help alert people about some problem in the hopes that they'll come to d.o.

I agree in general with drumm's suggestion but it's relatively hard to track from IP to problematic domain. I'm not sure that's a good use of anyone's time.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Title: Disable site_network (legacy Drupal authentication) » Disable site_network (legacy Drupal authentication) November 1 and post the news on the front page

Scheduled for October 3 http://drupal.org/node/280488/revisions/view/1172872/1173672

gerhard killesreiter’s picture

gerhard killesreiter commented

We should at least make an effort to warn people. It was relatively easy to find out that the IP Damien found in the logs belongs to drupal.ru:

http://ip-test.net/reverse-ip/

Maybe try to get the site which have more than x requests per month?

damien tournoud’s picture

damien tournoud commented

We have the full list of IPs ordered by usage available, and Gerhard is working on identifying websites from there.

gdemet’s picture

gdemet
he/him
Primary language English
Location Chicago, USA
commented

Feedback on the post in the webmasters issue queue: http://drupal.org/node/928650

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

As far as I know, groups.drupal.org is only run on one webserver and it uses mollom and mollom uses xmlrpc.

So, I guess the 1 server that gets a lot of xmlrpc traffic is the g.d.o server.

gerhard killesreiter’s picture

gerhard killesreiter commented

I've looked at the d.o logs and I've found that there are about 10k entries for the xmlrpc service. However, most of these are from 6(!) different d.o accounts. I've mailed the top 1 poweruser to enquire about this and will mail all 81 with a regular mail.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Even though it was scheduled for today, let's wait another day or two before do this so people aren't confused between this issue and the cookie domain/bakery issue we created on Friday.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Needs review » Fixed

Ok, it's a week later and the redirect issue is resolved.

Killes e-mailed something like 80 of the top users of the feature and none of them responded to him.

Looking at the logging he created, it's about 1-2 people per hour who use the service.

Let's disable this for real now.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.