Slashdot Mirror

← Back to Stories (view on slashdot.org)

Savannah Back Online With Extra Security

Posted by michael on from the beefed-up dept.

depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."

11 of 172 comments (clear)

  1. Security ? by fewnorms · · Score: 2, Interesting

    And yet they still use Apache 1.3.26? Which by now is known to have some nice exploits and other faults ... no disrespect to apache here though, it's still far superior to that IIS crap.

    --
    Veni, Vidi, Velcro!
  2. Xen for better speration then chroot? by redhat421 · · Score: 4, Interesting
    When I looks a intrusions like this, I wonder if using something like Xen is a perfect fit for protecting projects from each other

    or perhaps as a backup known good environment.

  3. No LIDS? by Malcontent · · Score: 2, Interesting

    Does anybody know why they didn't implement something like LIDS?

    --

    War is necrophilia.

  4. If only the same could be said... by An+Anonymous+Hero · · Score: 2, Interesting

    ... of packages.debian.org

  5. Re:Savanah is back online again by DAldredge · · Score: 3, Interesting

    The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

    Just read my journal. It explains some of what has happened.

  6. Debian still down by Anonymous Coward · · Score: 1, Interesting

    I wonder what's cooking over at Debian. Everyone else seems to have gotten their services back up and running. Are GNU and Gentoo being too hasty or is Debian just being the slow boat as usual?

    1. Re:Debian still down by Ben+Hutchings · · Score: 4, Interesting

      Debian has gradually been bringing services back online as the relevant files are verified and new passwords and keys generated. They are also tightening security in some ways, e.g. dropping pserver access to CVS servers. Alioth and www.debian.org are the latest services to be restored.

  7. GNU FTP mirror by Anonymous Coward · · Score: 1, Interesting

    Does anyone know when some of the "RSN" (Real Soon Now) files will be back on the GNU FTP archive? Some files have been unavailable since August. Not sure if it's connected with this Savannah thing.

  8. Debian amateurs by Doc+Ruby · · Score: 2, Interesting

    What exactly is wrong with the packages server now? What are they doing to fix it, for so long? ETA? Why don't they put some info on the (disabled) homepage? Not exactly a system that my old Wall Street clients would rather move to, from Solaris.

    --

    --
    make install -not war

  9. Re:What took them so long? by axxackall · · Score: 2, Interesting
    pserver??? Why pserver, which is unsecure by design? Why not ssh?

    I am not even asking why CVS, which was never designed for security at all. Well, in fact CVS was never designed at all - it was a set of patches to RCS. If you need a really well-thought and well-designed and well-implemented VS/CM you should check Aegis or upcoming Subversion.

    --

    Less is more !
  10. That's not what I call "back online" by Fefe · · Score: 3, Interesting

    a) they firewalled ICMP echo (WTF?!?)
    b) cvs pserver is not available and apparently never will be again. So I went through my checked out gcc source tree and changed all the CVS/Root files to their new scheme, but it didn't work, "directory not found".
    c) I would have double checked with the webcvs, but that's also not operational.
    d) The other option would have been to download a snapshot from the download area, but the download areas are also not available. OK ok, for gcc the download area is somewhere else, but for all the other projects?!

    This begs the question: what _is_ back online? The web server with the note that they are back online?

    So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

    Sorry, folks, but I don't like people who discontinue all the important features and then say it's for security reasons. That's bullshit.
    I would help, but I didn't see them asking for help anywhere.