Savannah Back Online With Extra Security

depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."

Congratulations

[xyzzy]

On yet another slashdot posting with absolutely zero informative content (except possibly to people who already knew what the article meant).

Re:Congratulations

[captredballs]

Configuring Internet Explorer to identify hyperlinks[1]:

1. Activate the "Tools" menu at the top of IE
2. Select the "Internet Settings" menu item
3. Select the "General" tab at the top of the dialog. This tab may already be selected.
4. Activate the "Colors" button at the bottom of the dialog
5. Choose bright, yet readable, colors for both visited and unvisited links. A third "hover color" may be selected to make hyperlinks even more visible when under the mouse cursor.
6. Now select the "Advanced" tab at the top of the dialog.
7. Under "Browsing", then further under "Underline links" in the hierarchy of options, select the "Always" radio button.
8. Activate the "OK" button at the bottom of the dialog.

Hyperlinks will now be noticably identified by underlined text in the colors you have chosen. Be warned that improper use of javascript on websites such as www.msnbc.com may render hyperlinks more difficult to see. Slashdot and other websites that adhere to established guidelines do not employ these methods.

Thank you for visiting Slashdot.org, please remember to log in and meta-moderate.

[1] A hyperlink is, in its most common incarnation, a portion of text inside a greater body of text such as a paragraph. The text itself should fit into the context of the content, but has an associated website address. This website address should, according to style, contain information on the subject that the hyperlink text is being used to represent. A perspective that may be helpful is that the hyperlink text represents a question and the website associated with the link is the answer. Instead of requiring the consultation of other sources to define the meaning of the hyperlink's text, it is possible to follow the link directly and discover the authors intent.

Links are usually "followed" by placing the mouse cursor over the link and activating the left mouse button. While the concept may seem unnatural, people who are familiar with interfaces such as ATM's, touch tone telephone menus, and mass transit kiosks usually catch on quite quickly.

(c)CaptainRedBalls Instructional Aids

Re:Congratulations

[shnarez]

It's a slow news day, whatcha want. :-)

Re:Congratulations

You're a little stupid aren't you.

Re:Congratulations

[AKAImBatman]

On yet another slashdot posting with absolutely zero informative content

Drats. Here I was hoping that they had brought back the good ship Savannah.

Re:Congratulations

Learn to spell. Then maybe you can pick on someone's grammar.

Incidentally, the guy may not have been asking it as a question. Often, Brits will say "aren't you" at the end of a phrase for emphasis. The intonation of the sentence indicates it is clearly not a question.

But you're an idiot, aren't you, and wouldn't know that.

Re:Congratulations

Good call. I've lived in American for damn near 20 years and thought I'd gotten rid of all my English colloquialisms.

And he is an idiot.

Re:Congratulations

[Jacek+Poplawski]

I am afraid you are wrong. Savannah is very important website. Many free projects are hosted there (for example mldonkey), and with whole site disabled development was almost completly stoped for many days.

Re:Congratulations

Sentance?

Re:Congratulations

[depesz]

my informaation was not long because i assumed that all (or most of) the people reading slashdot know:

1. what savannah is
2. that is was down due to security compromise

plus, more information about what was changed and why can be found on the site that i gave link to.

of course it might be wrong assumptions, so next time i'll post a information to slashdot i'll remember about it, and make myself verbose. (depesz --verbose post)

depesz

Re:Congratulations

[sg_oneill]

Ignore em depesz. I know , as do most IT folk who have anything vaguely resembling a clue.

Unfortunately some folk see it better to critisize what they don't understand rather than.. oh... say ... ask a question that leads to an answer that informs and delights other.

Had it been asked, one could of then replied "Savannah is GNU/FSF's version of Sourceforge without the proprietry bits or non free projects.

Re:Congratulations

[archen]

I was hoping it was this savannah myself.

Re:Congratulations

[xyzzy]

I wasn't trying to bitch you out as the submitter, but the "editors" of the site. No, not everyone knows the two points you stated, but the script kiddies^H^H^H^H^H^H^H^H^H^Heditors should have known that, not you.

Re:Congratulations

[YOU+LIKEWISE+FAIL+IT]

Well, mark it down as overrated if you must, this comment made me laugh out loud.

Seems fitting that they'd use the name Savannah

[ObviousGuy]

I guess the creators couldn't see the irony in the name.

Savanah is back online again

[rxed]

not anymore. is been slashdoted. :-)

Re:Savanah is back online again

[xie]

Actually they are back "online" but reading here it seems most things won't be functional till "early January 2004".

Re:Savanah is back online again

[DAldredge]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Re:Savanah is back online again

For people looking for more information about the GFDL:

Draft Debian Position on GFDL
Why you shouldn't use the GFDL
Official GFDL Text

Re:Savanah is back online again

[sg_oneill]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Who modded that troll? Geez. Read the journal article. The guy just got booted as a Hurd maintainer because he was worried the GNU doc licence is to non-free.

Also dude, you should submit your story onto newsforge or something. Its worrying.

Re:Savanah is back online again

[Demonspawn]

Highly intersting is http://www.gnu.org/philosophy/bsd.html where GNU themselves state that the Original BSD license is "too restrictive" as it requires verbatium copying of "too many" advertising clauses.... and then make the GFDL require the same type of crap.

--Demonspawn

Questions

[Scrameustache]

What is Savahna?
Why was it not online?
Why should I care?
Where's the rocketpacks? We were promised rocketpacks...

Re:Questions

[mattjb0010]

What is Savahna?
Why was it not online?
Why should I care?

Why don't you RTFA?

Re:Questions

[after]

The Source Forge of GNU software.
It got hacksored.
Because it ownz j00 fool.
At Savannah.

Re:Questions

What is Savannah?

Savannah is a sort of "home base" for GNU Project developers. They can set up web sites for their projects, CVS repositories, mailing lists, post want-ads for developers, etc.

Why was it not online?

Early this month / late last month the system was compromised in some way. I'm not sure if anything was actually damaged or not, but it's best to try to keep things as secure as possible. Hence it was taken offline, reinstalled, and new security procedures have been (and are being) developed.

Why should I care?

If you're not a GNU developer, it has little immediate impact on you. It's one of those "just sharing" stories. :-)

Where's the rocketpacks?

I don't know, but I know that I don't have them.

Re:Questions

[mattjb0010]

Point is TFA should be properly introduced

You were given a site at gnu.org (if you don't know what GNU is, why are you reading /.?), told what had happened, and what the current status of the site was. What part of that didn't you understand?

Re:Questions

Where's the rocketpacks?
I don't know, but I know that I don't have them.

They're in the laptop bag.

Re:Questions

Then for that matter, why post an article telling Slashdotter's that it's back up? Why aren't the interested parties Googling for news regarding Savannah? Get off it.

Re:Questions

[HolyCoitus]

There was an article? Oh man... Are there usually articles attached to these little blurbs? I knew I had to be missing SOMETHING... I just assumed everyone knew more than me.

Re:Questions

And would it have been that hard to put on the main page?

"...Savannah, a sort of 'home base' for GNU Project developers, is back online."

Oh well, I guess I can't code in machine language, so I don't deserve to know, I need to explicitly reveal myself as one of the uninitiated to find out.

Re:Questions

[rifter]

"Point is TFA should be properly introduced"

You were given a site at gnu.org (if you don't know what GNU is, why are you reading /.?), told what had happened, and what the current status of the site was. What part of that didn't you understand?

First off, there wasn't a Fucking Aricle. Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something).

Now, there was an earlier slashdot article that said it was going offline. That article IIRC told more about what the hell savannah was, and why it went down, etc. That was an adctual informative article, and, surprisingly, is linked to an article.

Savannah is more than just a website, so obviously you did not know what it was either but you want to look like a smartass. Congratulations, you have succeeded in looking like a smartass.

Re:Questions

[mattjb0010]

Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Re:Questions

[rifter]

"Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)"

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Whatever. The point, which you seem to have missed, is that this is the Laziest Slashdot Article Ever. Not only was there no information in the blurb, but there was not even a linked article for crying out loud! I mean granted no one reads them anymore, but jiminey crikers!

Re:Questions

[hak+hak]

Savannah is not just for GNU developers; anyone can base their free software project there. It's just that Savannah itself is the official website for many GNU packages.

Re:Questions

Why don't you STFU?

Re:Questions

[erlenic]

What is Savannah?
Why was Savannah not online?

From the looks of it, Google had no idea that the city of Savannah, GA in the US was offline. Come to think of it, neither did I. Well, I'm happy for everyone that lives there. I can't imagine living through several weeks of my city being offline.

Re:Questions

Why should I care enough to spend time RTFAing..

You seem to care enough to post whiny fucking messages here complaining about the fact that you're a fucking lazy idiot who can't educate themselves or follow a damn link. Why don't you just shut the fuck up and stop being such a whiny fucking bitch?

Re:Questions

[MicroBerto]

Not only that, but I spent a minute on their websites and found nothing. What's a web site that doesn't tell its readers WHAT they are? Terrible.

Re:Questions

Move out of your parents' basement, you fucking loser. Also, good luck ever finding a job where you aren't typing numbers into a database for twelve hours a day.

Re:Questions

[Lost+Race]

Where's the rocketpacks? We were promised rocketpacks...

Quake.ihoc.net! Rocketpacks for all since 1999.

Re:Questions

[Narchie+Troll]

"This web site (called Savannah) is a central point for development, distribution and maintenance of GNU Software."

The first line at the top of http://savannah.gnu.org. What the fuck are you smoking?

Re:Questions

Why don't you post a meaningful, useful reply? Asshole.

Re:Questions

I totaly agree. I tried something similar for Jokko

Security ?

[fewnorms]

And yet they still use Apache 1.3.26? Which by now is known to have some nice exploits and other faults ... no disrespect to apache here though, it's still far superior to that IIS crap.

Re:Security ?

[damiam]

It's quite likely that that's a vendor version (from Debian stable?) that has had all relevant bugfixes and patches backported by the vendor. I really doubt they'd use the vanilla 1.3.26.

Re:Security ?

[MyHair]

Debian backported the security fixes to its stable release of 1.3.26. I seem to be too tired to find a relevant link to support this. Sorry. I'm also too lazy to verify that Savannah is running Debian, but it's a pretty safe assumption I think.

Re:Security ?

[LnxAddct]

What's up groupie! I'll bet you've never even used Apache.

Re:Security ?

[wobblie]

No one in their right mind who wants to run a stable system updates versions to solve security problems; you use a patch against the version you are running. Things are less likely to break this way.

Thanks GNU we love YOU

[after]

Awesome.

Although, I wish Savannah had some sort of system where I could do installation of software similar in the way that FreeBSD does: the ports collection.

There are a lot of cool program there that I use daily, and I would like to have them all upgraded and manageable through a simple collection of applications (like the package managers for the ports collection.)

Either way, manager or no manager, there are some applications that I wanted to go get so Ill go do that now.

Thanks GNU we love YOU.

Obligatory Stallman Lingo

[toupsie]

Savannah wasn't hacked, it was GNU/0wn3d.

Xen for better speration then chroot?

[redhat421]

When I looks a intrusions like this, I wonder if using something like Xen is a perfect fit for protecting projects from each other

or perhaps as a backup known good environment.

Re:Xen for better speration then chroot?

Actually User Mode Linux is probably the better choice for what you're thinking of. And though I've got no data to back this up, conceptually it seems more secure than a chroot (though honestly both seem pretty good).

Re:Xen for better speration then chroot?

If anyone got root in a User Mode Linux process, they could probably exploit kernel bugs in the host kernel, like the brk() bug. A standard exploit probably wouldn't work, so it would slow down some attackers (similar to how a non-X86 machine stopped the Debian cracker). But I don't think it would really be secure against kernel bugs. And Xen probably wouldn't be much better - you need a secure kernel.

In theory, a kernel-level bug is the only way for a non-root user to escape a chroot. UML is useful for creating virtual servers, where people can have root access and administer their own set of users. Chroot is fine if you don't need that.

Re:Xen for better speration then chroot?

[lkaos]

well.. Xen is designed to run 100 VMs at once. I think limiting Savannah to 100 projects is a bit restrictive.

Using a chroot and only letting things run in that chroot'd environment as a lesser user is pretty much as good as long as we can avoid kernel holes. Of course, this was the original problem....

All security problems?

[cperciva]

all security problems are resolved

I rather doubt that. Perhaps all security problems of which the server administrators are aware have been resolved, but there are definitely going to be other security problems left.

Re:All security problems?

Thanks Mr Precise. We really couldn't have figured that out.

Re:All security problems?

>all security problems of which the server administrators are aware have been resolved

A problem is a "problem" when its identified as such. Otherwise its NOT. For example cigaret is a problem because its a known carcinogen. But nobody considers apple as a problem becuase it doesnt have any identified problem like cigaret. But if tomorrow someobody comes up with some research and prove that apple is carcinogenic, then it will be considered a problem. So in real life we consider only known problems as "problems". Same goes with vunlerabilites also.

Re:All security problems?

[cperciva]

Quoth the AC:
So in real life we consider only known problems as "problems". Same goes with vunlerabilites also.

Personally, I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

Re:All security problems?

[cburley]

I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

I'm curious, then: where do you get the patches you apply to close the vulnerabilities of which you are not aware?

Re:All security problems?

[cperciva]

where do you get the patches you apply to close the vulnerabilities of which you are not aware?

I don't, obviously. But I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND), on the basis that there are likely other (unknown) vulnerabilities.

Re:All security problems?

[cburley]

I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND)

Ah, okay, I see what you mean. I run qmail, myself, and haven't put up a nameserver yet (but when I do, it'll be djbdns, not BIND).

erm, what is that url???

[polished+look+2]

Hi. What is "securityupdate.php" and why is it pointing to presumably your server and not CERN labs?

Re:erm, what is that url???

maybe someone at cern forgot to set up dns for that domain?

its a dumb tub-girl thang - again

[polished+look+2]

its some forwarding mechanism via javascript at http://nero-online.org/lastmeasure/ and has some kind of code like "if(navigator.appName == "Microsoft Internet Explorer")" and goes to url="http://snakefinger.net/havefun/index.html";

Re:its a dumb tub-girl thang - again

Maybe you have a virus because I clicked the link and it works just fine. Or maybe you're one of those guys who accuses every post of being a goatse link?

Re:its a dumb tub-girl thang - again

acutally id bet since its a .php page, that its a php redirect script that throws every couple requests to one site, the rest (the majority) to the actual CERT page. Click on it a few times. it will go through to the goatse.cx crap

Answers

Savannah is GNU's answer to SourceForge. Some GNU people don't like some of SF's terms for usage, so they run their own sf-style site.

It was offline because it was compromised, presumably by the brk() hole recently discovered in Linux 2.4.x. (Fixed in the latest version.)

You should care because now the authors of your favorite GNU software can be more productive. It also has serious implications to Linux 2.4 security.

I don't know anything about rocket packs.

TROLL?

???
the link worked find for me.. none of this lastmeasure you speak of

i think you're trolling, young man

MOD PARENT DOWN

[tizen]

My Mozilla started dancing around my screen... I don't think that's CERN.

-tiz

What took them so long?

[keesh]

It took them weeks to realise that they'd been owned and months to fix anything. I think they need a few lessons from the Gentoo people...

Re:What took them so long?

[moneymaker]

Because that's when they kept finding vulnerabilities in the cvs pserver

Re:What took them so long?

[axxackall]

pserver??? Why pserver, which is unsecure by design? Why not ssh?

I am not even asking why CVS, which was never designed for security at all. Well, in fact CVS was never designed at all - it was a set of patches to RCS. If you need a really well-thought and well-designed and well-implemented VS/CM you should check Aegis or upcoming Subversion.

Re:What took them so long?

[LetterJ]

I've been using Subversion for about 6 months and, other than the administration inconveniences of database changes (that are part of working with pre-1.0 software), I've been loving it. I also provide it to my customers as part of our $99/year software subscription and they've been loving it as well. Built-in web access through Apache 2 and the fact that you can do remote work over port 80 make it a pretty cool setup. If you've been using CVS, I have one thing to say: renaming files while retaining history.

Re:What took them so long?

[naasking]

Actually, you should check out OpenCM. (soon to make it's 1.0 release).

Re:What took them so long?

[Mr.Ned]

The Debian people, no slouches, didn't notice right away, and may not have if there hardware didn't react poorly to the rootkit. The Gentoo compromise was on a completely different scale - to restore the computer to working order, they just plowed the hard drive, reinstalled, and then copied the data from other mirrors. Unfortunately, this is not so easy for Savannah - they host a lot of projects and aren't just running rsync. Savannah wasn't just another mirror, it was the central repository.

Re:What took them so long?

[CentrX]

What? The Debian people reacted in a little over a day.

Totally fixed!

[fm6]

... all security problems are resolved ...

That's the kind of sloppy thinking that got them in trouble in the first place. Try, "all known security problems are resolved"!!!

MOD PARENT DOWN - Goatsex Link!

[wackysootroom]

Why mod people up without actually reading the fucking link? I mean why? How can you justify giving someone mod points without seeing whats posted?

Re:MOD PARENT DOWN - Goatsex Link!

[mattjb0010]

Why mod people up without actually reading the fucking link? I mean why? How can you justify giving someone mod points without seeing whats posted?

The + mod points were given before the redirection on the site was changed.

Re:MOD PARENT DOWN - Goatsex Link!

Ahh. My Bad. Thanks for clarifying. There still are some good slashdot mods left.

Re:MOD PARENT DOWN - Goatsex Link!

It's called a link changer, dumbass. It pointed to something valid before, then after getting modded up changes to Goatse.

Think before posting, please.

Savannah is back online..

Now thats what I'm Tolkien about!
(Still havent been thrown out of this place)

Re:Security Info

[Jake+Dodgie]

Don't bother, clicking the link, No CERN there, its just Goat Sex Man again.

how about reporting your TROLLING activities?

none of those links work and the main page goes straight to CERN

Savanna is a great place for marriage advice !!!!

[CmdrTostado]

Savanna is back online. Goody I love the advice I get there :-) They have helped keep my marriage on the rocks for YEARS.

Re:Obvious enough

[GoofyBoy]

1. What is Savannah?
2. What was the security problems?
3. Why should I or Developers care about this?
4. Why was it down for several weeks?

Not something that can be answered with moving a mouse around and 1/2 a second.

No LIDS?

[Malcontent]

Does anybody know why they didn't implement something like LIDS?

Re:No LIDS?

Glad I play such a major role in your life. I am sure stalking me gives your feeble little life some meaning.

Re:report this abuser to roadrunner?

for what?

That doesn't make much sense

[Ars-Fartsica]

Limiting a ports-like system to only Savannah-hosted projects would be of little utility. The joy of ports is that you can find every supported port, regardless of origin.

Re:Security Info

how come when I clicked it I got CERN?

Notes

[fm6]

Note to moderators: always check links before marking a post informative.

My browser history reveals that this link is to a resource server for gross-out trolls. I guess that shouldn't suprise me.

Score This: -1 Troll

Because it wasn't GNU/LIDS?

T YOJAUTA

DICKS LOL HGBRHLGGRLGRLG

Re:T YOJAUTA

[Narchie+Troll]

T COWARD GAY DICK
GUAUGUAUGUAUGUAUGUHAGUAUGUAHG

(don't lick so many fat pricks. it's like vomiting up spurt.)

Mod parrent up, funny !!

Savanna gives fake romance advice, check it out. Poster is trying to be funny.

That's one down (er, back up)...

[kcbrown]

...and at least one more to go...

Sigh...

Oh lord.

[Blue+Eagle+26]

Nothing like welcoming them back online with a good ol' slashdotting!

Re:Obvious enough

.. and what is the "extra security"?

If only the same could be said...

[An+Anonymous+Hero]

... of packages.debian.org

Re:If only the same could be said...

[Mondongo]

Oh yeah. It's been weeks since I could download packages off the web. Hasn't anyone set up a mirror by now?

Whoops - wrong Savannah

[Anomalous+Cowturd]

As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational.

So, was I the only person who read the headline, *and* the blurb, and immediately thought of something completely different?

Re:Whoops - wrong Savannah

adds new meaning to the words "public service"

Debian still down

I wonder what's cooking over at Debian. Everyone else seems to have gotten their services back up and running. Are GNU and Gentoo being too hasty or is Debian just being the slow boat as usual?

Re:Debian still down

They expect to have a fix ready within the next few years. The Debian devs are busy testing the 2.4 kernel for the new Debian release next year.

Re:Debian still down

[Ben+Hutchings]

Debian has gradually been bringing services back online as the relevant files are verified and new passwords and keys generated. They are also tightening security in some ways, e.g. dropping pserver access to CVS servers. Alioth and www.debian.org are the latest services to be restored.

Re:Debian still down

The debian people are too busy debating if 2.4 should be called stable...

GNU FTP mirror

Does anyone know when some of the "RSN" (Real Soon Now) files will be back on the GNU FTP archive? Some files have been unavailable since August. Not sure if it's connected with this Savannah thing.

Debian amateurs

[Doc+Ruby]

What exactly is wrong with the packages server now? What are they doing to fix it, for so long? ETA? Why don't they put some info on the (disabled) homepage? Not exactly a system that my old Wall Street clients would rather move to, from Solaris.

Re:Debian amateurs

I've had no troubles.

Considering the price, it's the best service ever.

If you don't like it, shell out cash and commit into slavery with some money-sucking corporate monstrosity.

Other services like savannah/sf.net?

[Kent+Recal]

I was looking for a pub cvs + bug tracker service a while ago and this reminds me.

Are there any alternatives to sf.net and savannah around? I like the feature list of sf but the web-interface is a nightmare, esp. the bugtracker.

Can anyone recommend a good bugtracker (service or software)?

Re:Other services like savannah/sf.net?

berlios

LET'S GET RETARDED

in here! fp45

Re:Obvious enough

If you don't know the answers to those questions..


Then this article is not important to you and you can skip it!

Go away and complain about something else.

offtopic:GFDL

YOur comments is interresting, but totally offtopic here.

grsecurity?

[curious.corn]

grsecurity is a promising mechanism to un-root a linux kernel based system: ipaddr, user or group based roles open or deny access to privileged operations without ever having uid=0 to begin with. It's a bit complicated to use but the system can auto-learn and generate these policies. Also, the system includes PaX which does some neat things like scramble the stack to thwart buffer overflows, non executable pages, etc... I've played with both (well, Mandrake secure kernels have grsec compiled in, not shure about pax) and although I still can't figure out (read: "ready made & nicely packaged ;-)") all of it but it does give the warm & fuzzy feeling it makes a difference...

Re:Obvious enough

If you don't know the answers to those questions..

Then this article is not important to you and you can skip it!

Eh?

Is it really that uncommon to read Slashdot to learn about stuff?

Xen cf VMWare?

[midgley]

Is Xen going to be a FLOSS VMWare?

I'm not going back until...

[embobo]

...they provide extra tasty-crispy secuity.

That's not what I call "back online"

[Fefe]

a) they firewalled ICMP echo (WTF?!?)
b) cvs pserver is not available and apparently never will be again. So I went through my checked out gcc source tree and changed all the CVS/Root files to their new scheme, but it didn't work, "directory not found".
c) I would have double checked with the webcvs, but that's also not operational.
d) The other option would have been to download a snapshot from the download area, but the download areas are also not available. OK ok, for gcc the download area is somewhere else, but for all the other projects?!

This begs the question: what _is_ back online? The web server with the note that they are back online?

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Sorry, folks, but I don't like people who discontinue all the important features and then say it's for security reasons. That's bullshit.
I would help, but I didn't see them asking for help anywhere.

Re:That's not what I call "back online"

[slamb]

a) they firewalled ICMP echo (WTF?!?)

I imagine the thinking goes "ha ha! we no longer provide a useful diagnostic as required by the standard. There is no way they will know our computer is here now, despite running a high-profile service. Now everything is secure."

It's the same thinking that slashdot uses.

Okay, in fairness, there are some well-respected security sites that do this also. Case in point: securityfocus.com, which hosts the bugtraq mailing list. I still think it's a stupid idea, though.

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Well, that's still not ideal. Here's one fundamental pserver flaw which rarely gets talked about: it does not authenticate the server at all. So it would be easy to spoof and send your own compromised code to whoever does an anonymous checkout. And sending compromised code to people is the real goal of someone who would crack the Linux BK->CVS gateway, the Debian machines, the Gentoo machines, and/or Savannah.

I bet other sites like SourceForge would be doing this if they had the CPU cycles to spare. But cryptography is expensive and SourceForge's CVS setup is slow already.

As powerful as ports

[ebuck]

Simply noting that ports works well, and is powerful isn't a compelling reason to shift from RPM, apt, or whatever. Ports needs to be so much better than alternatives that people flock to it in it's own right.

the *BSDs have a lot going for them, and ports is their crown jewel, but I'm getting tired of claims of superiority because they use a different packaging system. The one-command-line update of a system isn't unique to BSD, or even to Linux. RPM has yum (or up2date if you prefer), apt has apt-get, and even windows has something. Claiming that Linux is "good, but when will it catch up to having ports" is the same gripe as claiming that Linux is "good, but when will it run MS Word"

At least running MS Word has a compelling business purpose, but running ports is just the desire to pick your own flavor. If nobody makes horseradish ice cream, perhaps you should make your own.

Why do it wrong again?

No Grsecurity? (For PAX mostly.) No RSBAC? No SSP compiled kernel to protect from the buffer overflows in kernel?

Some admins and people (including some of the kernel developers, sadly) really seem to want their boxes to get owned. Really.

Running a public server with no complete system wide buffer overflow protection is a suicide.

packaces package

[Doc+Ruby]

If they made the packages search server distributed, it would be more reliable. Like packaging the database server, schema and data into a .deb. Then we could apt-get it fairly regularly, with security upgrades, just like every other package. Save them CPU cycles and bandwidth bottlenecks. This Fall is like a black hole for finding packages.

Ressurection?

[tommck]

How do you bring a dead porn star back online??

Would chroot have stopped this attack?

Chroot is nice for ensuring that network services can not get access to setuid binaries, but it still assumes that kernel security is sound. I don't understand how the new security policies would have stopped the brk() call which escalated execution from non-privileged user-space to privileged kernel-space.

Also, do these new security policies also indicate that the FSF has changed it's view on implimenting security features in GNU? Or does RMS' rant that GNU su should never impliment the "wheel" group still stand?

Re:Obvious enough

[Narchie+Troll]

However, it can be answered by clicking the fucking link.

Re:Security Info

This is a product of the anti-slash Jihad page. They set up redirect servers that for a while point to something informative/on topic/useful, then pull a switcher on it, and it points to goatse/tubgirl/nero-online/whatever.

Re:Obvious enough

Follow the link, Neo

Read the manual and STFU

For fucks sake, read the manuals. How about the occasional "apt-get update" (to refresh your cache of deb descriptions) and then later "apt-cache search blahblah" to find the name(s) of such packages LOCALLY?

Why do you use some web-based search thingy anyway? Are you stupid or something?

Your "old Wall Street clients" apparently have money to spare (Solaris). I do not understand why they hired some clueless person like you.

Re:Read the manual and STFU

[Doc+Ruby]

Wall Street has money to spare on doing it productively. When you get into junior high school, foolish Anonymous Coward, you'll meet some people who know how to *work together*, instead of always doing everything for themselves from scratch. Until you learn to play nicely, don't expect the clueful like me to even bother to school you.

Re:Security Info

It still points to cern and always did when I clicked on it.

I call troll on you.

idiot

its not goatse.cx

its called lastmeasure you fucking retardard moron

MOD PARENT UP!

How was this not modded Funny?