Slashdot Mirror
Savannah Back Online With Extra Security
depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."
← Back to Stories (view on slashdot.org)
Savannah is a sort of "home base" for GNU Project developers. They can set up web sites for their projects, CVS repositories, mailing lists, post want-ads for developers, etc.
Why was it not online?
Early this month / late last month the system was compromised in some way. I'm not sure if anything was actually damaged or not, but it's best to try to keep things as secure as possible. Hence it was taken offline, reinstalled, and new security procedures have been (and are being) developed.
Why should I care?
If you're not a GNU developer, it has little immediate impact on you. It's one of those "just sharing" stories. :-)
Where's the rocketpacks?
I don't know, but I know that I don't have them.
Savannah is GNU's answer to SourceForge. Some GNU people don't like some of SF's terms for usage, so they run their own sf-style site.
It was offline because it was compromised, presumably by the brk() hole recently discovered in Linux 2.4.x. (Fixed in the latest version.)
You should care because now the authors of your favorite GNU software can be more productive. It also has serious implications to Linux 2.4 security.
I don't know anything about rocket packs.
It took them weeks to realise that they'd been owned and months to fix anything. I think they need a few lessons from the Gentoo people...
Actually they are back "online" but reading here it seems most things won't be functional till "early January 2004".
It's quite likely that that's a vendor version (from Debian stable?) that has had all relevant bugfixes and patches backported by the vendor. I really doubt they'd use the vanilla 1.3.26.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
I am afraid you are wrong. Savannah is very important website. Many free projects are hosted there (for example mldonkey), and with whole site disabled development was almost completly stoped for many days.
grsecurity is a promising mechanism to un-root a linux kernel based system: ipaddr, user or group based roles open or deny access to privileged operations without ever having uid=0 to begin with. It's a bit complicated to use but the system can auto-learn and generate these policies. Also, the system includes PaX which does some neat things like scramble the stack to thwart buffer overflows, non executable pages, etc... I've played with both (well, Mandrake secure kernels have grsec compiled in, not shure about pax) and although I still can't figure out (read: "ready made & nicely packaged ;-)") all of it but it does give the warm & fuzzy feeling it makes a difference...
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
Ignore em depesz. I know , as do most IT folk who have anything vaguely resembling a clue.
... ask a question that leads to an answer that informs and delights other.
Unfortunately some folk see it better to critisize what they don't understand rather than.. oh... say
Had it been asked, one could of then replied "Savannah is GNU/FSF's version of Sourceforge without the proprietry bits or non free projects.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.
Just read my journal. It explains some of what has happened.
Who modded that troll? Geez. Read the journal article. The guy just got booted as a Hurd maintainer because he was worried the GNU doc licence is to non-free.
Also dude, you should submit your story onto newsforge or something. Its worrying.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.