Savannah Back Online With Extra Security

depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."

GNAA Anuses Observing Extra Security This Week

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE (Click Here to download the ~280MB MPEG off of BitTorrent)

Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.

If you have mod points and would like to support GNAA, please moderate this post up.

This post brought to you by Penisbird , a proud member of the GNAA

I am protesting Slashdot's chronic abuse of its readers and subscribers. Please visit www.anti-slash.org and help us!
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_ GAY_NIGGER_ASSOCIATION_OF_AMERICA_|
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Re:GNAA Anuses Observing Extra Security This Week

I hear Dubya just opened some of the Alaskan forest to niggers. I can see why environemtalists are aginst this. The whole forest will burn down when the first crack pipe gets lit up.

GNAA

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.

If you have mod points and would like to support GNAA, please moderate this post up.

This post brought to you by freeibtet, a proud member of the GNAA

G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#GNAA________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
um, dolor. Nunc nec nisl. Phasellus blandit tempor augue. Donec arcu orci, adipiscing ac, interdum a, tempus nec, enim. Phasellus placerat iaculis orci. Crasa sit amet quam. Sed enim quam, porta quis, aliquet quis, hendrerit ut, sem. Etiam felis tellus, suscipit et, consequat quis, pharetra sit amet, nisl. Aenean arcu massa, lacinia in, dictum eu, pulvinar ac, orci. Mauris at diam tempor ante ullamcorper molestie. Ut dapibus eleifend ipsum. Nam dignissim.

I love Gentoo

It'sa the besta!!

Howdy

[gantrep]

http://gnaa.isgay.com

Congratulations

[xyzzy]

On yet another slashdot posting with absolutely zero informative content (except possibly to people who already knew what the article meant).

Re:Congratulations

WAT IS LAPTOP BAG PRECIOUS?

Re:Congratulations

[captredballs]

Configuring Internet Explorer to identify hyperlinks[1]:

1. Activate the "Tools" menu at the top of IE
2. Select the "Internet Settings" menu item
3. Select the "General" tab at the top of the dialog. This tab may already be selected.
4. Activate the "Colors" button at the bottom of the dialog
5. Choose bright, yet readable, colors for both visited and unvisited links. A third "hover color" may be selected to make hyperlinks even more visible when under the mouse cursor.
6. Now select the "Advanced" tab at the top of the dialog.
7. Under "Browsing", then further under "Underline links" in the hierarchy of options, select the "Always" radio button.
8. Activate the "OK" button at the bottom of the dialog.

Hyperlinks will now be noticably identified by underlined text in the colors you have chosen. Be warned that improper use of javascript on websites such as www.msnbc.com may render hyperlinks more difficult to see. Slashdot and other websites that adhere to established guidelines do not employ these methods.

Thank you for visiting Slashdot.org, please remember to log in and meta-moderate.

[1] A hyperlink is, in its most common incarnation, a portion of text inside a greater body of text such as a paragraph. The text itself should fit into the context of the content, but has an associated website address. This website address should, according to style, contain information on the subject that the hyperlink text is being used to represent. A perspective that may be helpful is that the hyperlink text represents a question and the website associated with the link is the answer. Instead of requiring the consultation of other sources to define the meaning of the hyperlink's text, it is possible to follow the link directly and discover the authors intent.

Links are usually "followed" by placing the mouse cursor over the link and activating the left mouse button. While the concept may seem unnatural, people who are familiar with interfaces such as ATM's, touch tone telephone menus, and mass transit kiosks usually catch on quite quickly.

(c)CaptainRedBalls Instructional Aids

Re:Congratulations

[shnarez]

It's a slow news day, whatcha want. :-)

Re:Congratulations

You're a little stupid aren't you.

Re:Congratulations

[AKAImBatman]

On yet another slashdot posting with absolutely zero informative content

Drats. Here I was hoping that they had brought back the good ship Savannah.

Re:Congratulations

[captredballs]

Questions should be punctuated with question marks.

Does this make sense? See how easy it is?

At the risk of being nitpicky, I would also recommend that you employ commas to separate independent clauses in a rhetorial sentance.

"You're a little stupid, aren't you?"

Re:Congratulations

Learn to spell. Then maybe you can pick on someone's grammar.

Incidentally, the guy may not have been asking it as a question. Often, Brits will say "aren't you" at the end of a phrase for emphasis. The intonation of the sentence indicates it is clearly not a question.

But you're an idiot, aren't you, and wouldn't know that.

Re:Congratulations

Good call. I've lived in American for damn near 20 years and thought I'd gotten rid of all my English colloquialisms.

And he is an idiot.

Re:Congratulations

[Jacek+Poplawski]

I am afraid you are wrong. Savannah is very important website. Many free projects are hosted there (for example mldonkey), and with whole site disabled development was almost completly stoped for many days.

Re:Congratulations

Sentance?

Re:Congratulations

[depesz]

my informaation was not long because i assumed that all (or most of) the people reading slashdot know:

1. what savannah is
2. that is was down due to security compromise

plus, more information about what was changed and why can be found on the site that i gave link to.

of course it might be wrong assumptions, so next time i'll post a information to slashdot i'll remember about it, and make myself verbose. (depesz --verbose post)

depesz

Re:Congratulations

[sg_oneill]

Ignore em depesz. I know , as do most IT folk who have anything vaguely resembling a clue.

Unfortunately some folk see it better to critisize what they don't understand rather than.. oh... say ... ask a question that leads to an answer that informs and delights other.

Had it been asked, one could of then replied "Savannah is GNU/FSF's version of Sourceforge without the proprietry bits or non free projects.

Re:Congratulations

[archen]

I was hoping it was this savannah myself.

Re:Congratulations

[xyzzy]

I wasn't trying to bitch you out as the submitter, but the "editors" of the site. No, not everyone knows the two points you stated, but the script kiddies^H^H^H^H^H^H^H^H^H^Heditors should have known that, not you.

Re:Congratulations

[YOU+LIKEWISE+FAIL+IT]

Well, mark it down as overrated if you must, this comment made me laugh out loud.

Seems fitting that they'd use the name Savannah

[ObviousGuy]

I guess the creators couldn't see the irony in the name.

Savanah is back online again

[rxed]

not anymore. is been slashdoted. :-)

Re:Savanah is back online again

[xie]

Actually they are back "online" but reading here it seems most things won't be functional till "early January 2004".

Re:Savanah is back online again

[DAldredge]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Re:Savanah is back online again

For people looking for more information about the GFDL:

Draft Debian Position on GFDL
Why you shouldn't use the GFDL
Official GFDL Text

Re:Savanah is back online again

[sg_oneill]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Who modded that troll? Geez. Read the journal article. The guy just got booted as a Hurd maintainer because he was worried the GNU doc licence is to non-free.

Also dude, you should submit your story onto newsforge or something. Its worrying.

Re:Savanah is back online again

[Demonspawn]

Highly intersting is http://www.gnu.org/philosophy/bsd.html where GNU themselves state that the Original BSD license is "too restrictive" as it requires verbatium copying of "too many" advertising clauses.... and then make the GFDL require the same type of crap.

--Demonspawn

Security Info

CERN Labs
posted some info about the technical details about the breach and the steps taken to fix it.

Re:Security Info

[Jake+Dodgie]

Don't bother, clicking the link, No CERN there, its just Goat Sex Man again.

Re:Security Info

how come when I clicked it I got CERN?

Re:Security Info

This is a product of the anti-slash Jihad page. They set up redirect servers that for a while point to something informative/on topic/useful, then pull a switcher on it, and it points to goatse/tubgirl/nero-online/whatever.

Re:Security Info

It still points to cern and always did when I clicked on it.

I call troll on you.

Questions

[Scrameustache]

What is Savahna?
Why was it not online?
Why should I care?
Where's the rocketpacks? We were promised rocketpacks...

Re:Questions

[gantrep]

http://www.google.com

Re:Questions

[mattjb0010]

What is Savahna?
Why was it not online?
Why should I care?

Why don't you RTFA?

Re:Questions

[after]

The Source Forge of GNU software.
It got hacksored.
Because it ownz j00 fool.
At Savannah.

Re:Questions

What is Savannah?

Savannah is a sort of "home base" for GNU Project developers. They can set up web sites for their projects, CVS repositories, mailing lists, post want-ads for developers, etc.

Why was it not online?

Early this month / late last month the system was compromised in some way. I'm not sure if anything was actually damaged or not, but it's best to try to keep things as secure as possible. Hence it was taken offline, reinstalled, and new security procedures have been (and are being) developed.

Why should I care?

If you're not a GNU developer, it has little immediate impact on you. It's one of those "just sharing" stories. :-)

Where's the rocketpacks?

I don't know, but I know that I don't have them.

Re:Questions

[Ziviyr]

Why should I care enough to spend time RTFAing when I have no clue what it is. It might be a pet toy store or something of vague point like that.

Point is TFA should be properly introduced unless it has already been covered to the point where knowledge of it is expected.

Re:Questions

[mattjb0010]

Point is TFA should be properly introduced

You were given a site at gnu.org (if you don't know what GNU is, why are you reading /.?), told what had happened, and what the current status of the site was. What part of that didn't you understand?

Re:Questions

You sir, are a typical Linux asshole. HAND.

Re:Questions

Where's the rocketpacks?
I don't know, but I know that I don't have them.

They're in the laptop bag.

Re:Questions

Then for that matter, why post an article telling Slashdotter's that it's back up? Why aren't the interested parties Googling for news regarding Savannah? Get off it.

Re:Questions

No it wasn't compromised. Everyone here knows that that Linux can't be compromised. As pennance, I want a device driver and 3 kernel recompiles from you for saying such a thing.

Re:Questions

[HolyCoitus]

There was an article? Oh man... Are there usually articles attached to these little blurbs? I knew I had to be missing SOMETHING... I just assumed everyone knew more than me.

Re:Questions

And would it have been that hard to put on the main page?

"...Savannah, a sort of 'home base' for GNU Project developers, is back online."

Oh well, I guess I can't code in machine language, so I don't deserve to know, I need to explicitly reveal myself as one of the uninitiated to find out.

Re:Questions

[rifter]

"Point is TFA should be properly introduced"

You were given a site at gnu.org (if you don't know what GNU is, why are you reading /.?), told what had happened, and what the current status of the site was. What part of that didn't you understand?

First off, there wasn't a Fucking Aricle. Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something).

Now, there was an earlier slashdot article that said it was going offline. That article IIRC told more about what the hell savannah was, and why it went down, etc. That was an adctual informative article, and, surprisingly, is linked to an article.

Savannah is more than just a website, so obviously you did not know what it was either but you want to look like a smartass. Congratulations, you have succeeded in looking like a smartass.

Re:Questions

[mattjb0010]

Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Re:Questions

[rifter]

"Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)"

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Whatever. The point, which you seem to have missed, is that this is the Laziest Slashdot Article Ever. Not only was there no information in the blurb, but there was not even a linked article for crying out loud! I mean granted no one reads them anymore, but jiminey crikers!

Re:Questions

[hak+hak]

Savannah is not just for GNU developers; anyone can base their free software project there. It's just that Savannah itself is the official website for many GNU packages.

Re:Questions

Why don't you STFU?

Re:Questions

[erlenic]

What is Savannah?
Why was Savannah not online?

From the looks of it, Google had no idea that the city of Savannah, GA in the US was offline. Come to think of it, neither did I. Well, I'm happy for everyone that lives there. I can't imagine living through several weeks of my city being offline.

Re:Questions

Why should I care enough to spend time RTFAing..

You seem to care enough to post whiny fucking messages here complaining about the fact that you're a fucking lazy idiot who can't educate themselves or follow a damn link. Why don't you just shut the fuck up and stop being such a whiny fucking bitch?

Re:Questions

[MicroBerto]

Not only that, but I spent a minute on their websites and found nothing. What's a web site that doesn't tell its readers WHAT they are? Terrible.

Re:Questions

Move out of your parents' basement, you fucking loser. Also, good luck ever finding a job where you aren't typing numbers into a database for twelve hours a day.

Re:Questions

[Lost+Race]

Where's the rocketpacks? We were promised rocketpacks...

Quake.ihoc.net! Rocketpacks for all since 1999.

Re:Questions

[Narchie+Troll]

"This web site (called Savannah) is a central point for development, distribution and maintenance of GNU Software."

The first line at the top of http://savannah.gnu.org. What the fuck are you smoking?

Re:Questions

Why don't you post a meaningful, useful reply? Asshole.

Re:Questions

I totaly agree. I tried something similar for Jokko

Security ?

[fewnorms]

And yet they still use Apache 1.3.26? Which by now is known to have some nice exploits and other faults ... no disrespect to apache here though, it's still far superior to that IIS crap.

Re:Security ?

[damiam]

It's quite likely that that's a vendor version (from Debian stable?) that has had all relevant bugfixes and patches backported by the vendor. I really doubt they'd use the vanilla 1.3.26.

Re:Security ?

What's up groupie! I'll bet you've never even used IIS.

Re:Security ?

[MyHair]

Debian backported the security fixes to its stable release of 1.3.26. I seem to be too tired to find a relevant link to support this. Sorry. I'm also too lazy to verify that Savannah is running Debian, but it's a pretty safe assumption I think.

Re:Security ?

[LnxAddct]

What's up groupie! I'll bet you've never even used Apache.

Re:Security ?

[wobblie]

No one in their right mind who wants to run a stable system updates versions to solve security problems; you use a patch against the version you are running. Things are less likely to break this way.

Thanks GNU we love YOU

[after]

Awesome.

Although, I wish Savannah had some sort of system where I could do installation of software similar in the way that FreeBSD does: the ports collection.

There are a lot of cool program there that I use daily, and I would like to have them all upgraded and manageable through a simple collection of applications (like the package managers for the ports collection.)

Either way, manager or no manager, there are some applications that I wanted to go get so Ill go do that now.

Thanks GNU we love YOU.

Obligatory Stallman Lingo

[toupsie]

Savannah wasn't hacked, it was GNU/0wn3d.

SCO Hypocrisy

After making a big song and dance about how linux vendor's lack of indemnification leaves customers open to lawsuits from copyright holders... ... SCO threatens to sue their own customers

Xen for better speration then chroot?

[redhat421]

When I looks a intrusions like this, I wonder if using something like Xen is a perfect fit for protecting projects from each other

or perhaps as a backup known good environment.

Re:Xen for better speration then chroot?

Actually User Mode Linux is probably the better choice for what you're thinking of. And though I've got no data to back this up, conceptually it seems more secure than a chroot (though honestly both seem pretty good).

Re:Xen for better speration then chroot?

If anyone got root in a User Mode Linux process, they could probably exploit kernel bugs in the host kernel, like the brk() bug. A standard exploit probably wouldn't work, so it would slow down some attackers (similar to how a non-X86 machine stopped the Debian cracker). But I don't think it would really be secure against kernel bugs. And Xen probably wouldn't be much better - you need a secure kernel.

In theory, a kernel-level bug is the only way for a non-root user to escape a chroot. UML is useful for creating virtual servers, where people can have root access and administer their own set of users. Chroot is fine if you don't need that.

Re:Xen for better speration then chroot?

[lkaos]

well.. Xen is designed to run 100 VMs at once. I think limiting Savannah to 100 projects is a bit restrictive.

Using a chroot and only letting things run in that chroot'd environment as a lesser user is pretty much as good as long as we can avoid kernel holes. Of course, this was the original problem....

Yawn!

Wake me when something interesting happens.

All security problems?

[cperciva]

all security problems are resolved

I rather doubt that. Perhaps all security problems of which the server administrators are aware have been resolved, but there are definitely going to be other security problems left.

Re:All security problems?

Thanks Mr Precise. We really couldn't have figured that out.

Re:All security problems?

>all security problems of which the server administrators are aware have been resolved

A problem is a "problem" when its identified as such. Otherwise its NOT. For example cigaret is a problem because its a known carcinogen. But nobody considers apple as a problem becuase it doesnt have any identified problem like cigaret. But if tomorrow someobody comes up with some research and prove that apple is carcinogenic, then it will be considered a problem. So in real life we consider only known problems as "problems". Same goes with vunlerabilites also.

Re:All security problems?

[cperciva]

Quoth the AC:
So in real life we consider only known problems as "problems". Same goes with vunlerabilites also.

Personally, I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

Re:All security problems?

Fuck off, fucking asshole. Now go back to work on your piece of shit FreeBSD stuff.

Troll Glass

Re:All security problems?

[cburley]

I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

I'm curious, then: where do you get the patches you apply to close the vulnerabilities of which you are not aware?

Re:All security problems?

[cperciva]

where do you get the patches you apply to close the vulnerabilities of which you are not aware?

I don't, obviously. But I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND), on the basis that there are likely other (unknown) vulnerabilities.

Re:All security problems?

[cburley]

I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND)

Ah, okay, I see what you mean. I run qmail, myself, and haven't put up a nameserver yet (but when I do, it'll be djbdns, not BIND).

Never forget.

http://slashdot.org/comments.pl?sid=26315&cid=2850 660

man free software sure has shitty securitah

Man for all you're noise about how secure open source is you can't seem to keep your servers from getting broken into!

Sure in theory open source is secure but YOU can't even keep YOUR OWN servers secure!

Sheesh...

Obvious enough

[evenprime]

Just put your mouse over the link word Savannah(sp?), and the bottom of your browser will show that the link goes to savannah.gnu.org. It is the box that got rooted. Figuring that out takes about .5 seconds.

Re:Obvious enough

What box got rooted?

Re:Obvious enough

[GoofyBoy]

1. What is Savannah?
2. What was the security problems?
3. Why should I or Developers care about this?
4. Why was it down for several weeks?

Not something that can be answered with moving a mouse around and 1/2 a second.

Re:Obvious enough

[ArchieBunker]

But I thought linux was unrootable...

Re:Obvious enough

.. and what is the "extra security"?

Re:Obvious enough

If you don't know the answers to those questions..


Then this article is not important to you and you can skip it!

Go away and complain about something else.

Re:Obvious enough

If you don't know the answers to those questions..

Then this article is not important to you and you can skip it!

Eh?

Is it really that uncommon to read Slashdot to learn about stuff?

Re:Obvious enough

[Narchie+Troll]

However, it can be answered by clicking the fucking link.

Re:Obvious enough

Follow the link, Neo

erm, what is that url???

[polished+look+2]

Hi. What is "securityupdate.php" and why is it pointing to presumably your server and not CERN labs?

Re:erm, what is that url???

maybe someone at cern forgot to set up dns for that domain?

Re:erm, what is that url???

[YoJaUta]

Seems to work just fine for me! If I had modpoints I'd mod this guy up, it's helped me a lot.

its a dumb tub-girl thang - again

[polished+look+2]

its some forwarding mechanism via javascript at http://nero-online.org/lastmeasure/ and has some kind of code like "if(navigator.appName == "Microsoft Internet Explorer")" and goes to url="http://snakefinger.net/havefun/index.html";

Re:its a dumb tub-girl thang - again

[YoJaUta]

You sir, are a liar and a cheat. I bet you like licking the sweat off of CowboyNeal's folds.

Re:its a dumb tub-girl thang - again

Maybe you have a virus because I clicked the link and it works just fine. Or maybe you're one of those guys who accuses every post of being a goatse link?

Re:its a dumb tub-girl thang - again

acutally id bet since its a .php page, that its a php redirect script that throws every couple requests to one site, the rest (the majority) to the actual CERT page. Click on it a few times. it will go through to the goatse.cx crap

Answers

Savannah is GNU's answer to SourceForge. Some GNU people don't like some of SF's terms for usage, so they run their own sf-style site.

It was offline because it was compromised, presumably by the brk() hole recently discovered in Linux 2.4.x. (Fixed in the latest version.)

You should care because now the authors of your favorite GNU software can be more productive. It also has serious implications to Linux 2.4 security.

I don't know anything about rocket packs.

TROLL?

???
the link worked find for me.. none of this lastmeasure you speak of

i think you're trolling, young man

MOD PARENT DOWN

[tizen]

My Mozilla started dancing around my screen... I don't think that's CERN.

-tiz

What took them so long?

[keesh]

It took them weeks to realise that they'd been owned and months to fix anything. I think they need a few lessons from the Gentoo people...

Re:What took them so long?

[moneymaker]

Because that's when they kept finding vulnerabilities in the cvs pserver

Re:What took them so long?

[axxackall]

pserver??? Why pserver, which is unsecure by design? Why not ssh?

I am not even asking why CVS, which was never designed for security at all. Well, in fact CVS was never designed at all - it was a set of patches to RCS. If you need a really well-thought and well-designed and well-implemented VS/CM you should check Aegis or upcoming Subversion.

Re:What took them so long?

[LetterJ]

I've been using Subversion for about 6 months and, other than the administration inconveniences of database changes (that are part of working with pre-1.0 software), I've been loving it. I also provide it to my customers as part of our $99/year software subscription and they've been loving it as well. Built-in web access through Apache 2 and the fact that you can do remote work over port 80 make it a pretty cool setup. If you've been using CVS, I have one thing to say: renaming files while retaining history.

Re:What took them so long?

[naasking]

Actually, you should check out OpenCM. (soon to make it's 1.0 release).

Re:What took them so long?

[Mr.Ned]

The Debian people, no slouches, didn't notice right away, and may not have if there hardware didn't react poorly to the rootkit. The Gentoo compromise was on a completely different scale - to restore the computer to working order, they just plowed the hard drive, reinstalled, and then copied the data from other mirrors. Unfortunately, this is not so easy for Savannah - they host a lot of projects and aren't just running rsync. Savannah wasn't just another mirror, it was the central repository.

Re:What took them so long?

[CentrX]

What? The Debian people reacted in a little over a day.

MOD PARENT UP

[YoJaUta]

You will bow to my low Slashdot user number.

MOD YOU (tizen) DOWN

The link works just fine..

stop logging into new accounts to accuse this link of being a troll, loser

Totally fixed!

[fm6]

... all security problems are resolved ...

That's the kind of sloppy thinking that got them in trouble in the first place. Try, "all known security problems are resolved"!!!

MOD PARENT DOWN - Goatsex Link!

[wackysootroom]

Why mod people up without actually reading the fucking link? I mean why? How can you justify giving someone mod points without seeing whats posted?

Re:MOD PARENT DOWN - Goatsex Link!

[mattjb0010]

Why mod people up without actually reading the fucking link? I mean why? How can you justify giving someone mod points without seeing whats posted?

The + mod points were given before the redirection on the site was changed.

Re:MOD PARENT DOWN - Goatsex Link!

Ahh. My Bad. Thanks for clarifying. There still are some good slashdot mods left.

Re:MOD PARENT DOWN - Goatsex Link!

It's called a link changer, dumbass. It pointed to something valid before, then after getting modded up changes to Goatse.

Think before posting, please.

MOD GREAT-GRANDPARENT UP

[YoJaUta]

I of course meant mod grandparent up.

Savannah is back online..

Now thats what I'm Tolkien about!
(Still havent been thrown out of this place)

report this abuser to roadrunner?

seriously, shouldn't we report the current user of 24.174.81.26? Check out the main page and also the images collection, including our friend ESR.

Re:report this abuser to roadrunner?

for what?

how about reporting your TROLLING activities?

none of those links work and the main page goes straight to CERN

Savanna is a great place for marriage advice !!!!

[CmdrTostado]

Savanna is back online. Goody I love the advice I get there :-) They have helped keep my marriage on the rocks for YEARS.

No LIDS?

[Malcontent]

Does anybody know why they didn't implement something like LIDS?

Re:No LIDS?

I don't know about LIDS, but I do know many of the good folks over at the GNU camp have implemented the AIDS.

Re:No LIDS?

Malcontent is a piece of shit troll who should be ass-raped by a battalion of splintered brooms.

GOD I loathe you. What a waste of skin.

Re:No LIDS?

Glad I play such a major role in your life. I am sure stalking me gives your feeble little life some meaning.

That doesn't make much sense

[Ars-Fartsica]

Limiting a ports-like system to only Savannah-hosted projects would be of little utility. The joy of ports is that you can find every supported port, regardless of origin.

Since nobody has suggested yet

[senatorpjt]

Microsoft must have done it!

Notes

[fm6]

Note to moderators: always check links before marking a post informative.

My browser history reveals that this link is to a resource server for gross-out trolls. I guess that shouldn't suprise me.

-1, Redundant

Score This: -1 Troll

Because it wasn't GNU/LIDS?

T YOJAUTA

DICKS LOL HGBRHLGGRLGRLG

Re:T YOJAUTA

[Narchie+Troll]

T COWARD GAY DICK
GUAUGUAUGUAUGUAUGUHAGUAUGUAHG

(don't lick so many fat pricks. it's like vomiting up spurt.)

Mod parrent up, funny !!

Savanna gives fake romance advice, check it out. Poster is trying to be funny.

That's one down (er, back up)...

[kcbrown]

...and at least one more to go...

Sigh...

Oh lord.

[Blue+Eagle+26]

Nothing like welcoming them back online with a good ol' slashdotting!

If only the same could be said...

[An+Anonymous+Hero]

... of packages.debian.org

Re:If only the same could be said...

[Mondongo]

Oh yeah. It's been weeks since I could download packages off the web. Hasn't anyone set up a mirror by now?

Whoops - wrong Savannah

[Anomalous+Cowturd]

As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational.

So, was I the only person who read the headline, *and* the blurb, and immediately thought of something completely different?

Re:Whoops - wrong Savannah

adds new meaning to the words "public service"

Grrrr

I posted this about 5 mins after the message was sent out it was up and running, and of course ... slashdot posts it *2* days later using someone else. Damn it, I give up submitting articles ...

Debian still down

I wonder what's cooking over at Debian. Everyone else seems to have gotten their services back up and running. Are GNU and Gentoo being too hasty or is Debian just being the slow boat as usual?

Re:Debian still down

They expect to have a fix ready within the next few years. The Debian devs are busy testing the 2.4 kernel for the new Debian release next year.

Re:Debian still down

[Ben+Hutchings]

Debian has gradually been bringing services back online as the relevant files are verified and new passwords and keys generated. They are also tightening security in some ways, e.g. dropping pserver access to CVS servers. Alioth and www.debian.org are the latest services to be restored.

Re:Debian still down

The debian people are too busy debating if 2.4 should be called stable...

I praise you in the name of the Jihad

anti-slash

GNU FTP mirror

Does anyone know when some of the "RSN" (Real Soon Now) files will be back on the GNU FTP archive? Some files have been unavailable since August. Not sure if it's connected with this Savannah thing.

HEIL TACOSNOTTING!

iji iji iji iji iji iji jtiji iji iji iji iji iji
iji iji iji iji iji ijjDMNQtiji iji iji iji iji ij
iji iji iji iji iji cXMNMNMNQjiji iji iji iji iji
iji iji iji iji ijcSMNMNMNMNHJiji iji iji ij iji ij
iji iji iji iji iSWMNMNMNMHJiji iji iji ij iji iji
iji iji iji iji6WMNMNMNMNYiji iji Jciji iji iji ij
iji iji iji i5WMNMNMNMN5iji iji JHMNSc iji iji iji
iji iji iji5NMNMNMNMW5iji iji JHMNMN MWSiji iji iji
iji iji ijcXMNMNMNMNNYiji ijtKMNMN MNMNMW6iji iji i
iji iji iji jDMNMNMNMNHJijtQMNMN MNMNMNMNMW5iji iji
iji itciji iji QMNMNMNMNKDMNMN MNMNQWMNMNMNMN5iji i
ijitKMWSiji iji jQMNMNMNMNMN MNMNQtijSWMNMNMNMNYiji
itQMNMNMW6iji iji tKMNMNMN MNMNKtiji icSMNMNMNMNHJi
iJHMNMNMNMW6iji ijcSMNMN MNMNMNDjiji ijicXMNMNMNN5i
ijiYNMNMNMNMN5ijiSWMNM MNMNMNMNMNDciji ijicDMNW6iji
iji i5NMNMNMNMNSWMNM MNMNHNMNMNMNMNXciji iji 5iji i
iji iji5WMNMNMNMNM MNMNN5ij5NMNMNMNMNSciji iji iji
iji iji i6WMNMNM MNMNW5iji ij6WMNMNMNMWSiji iji iji
iji iji ijiSWM MNMNW6iji iji tKMNMNMNMNXciji iji ij
iji iji iji cSMNWSiji iji tQMNMNMNMNDjiji iji iji
iji iji ij iji c6ciji iji QMNMNMNMNQjiji iji iji ij
iji iji iji iji iji ijjDMNMNMNMNQtiji iji iji iji
iji ij iji iji iji ijcXMNMNMNMNKtiji iji iji iji ij
iji iji iji iji iji jQMNMNMNHJiji iji iji iji iji
ij iji iji iji iji iji tKMNHJiji iji iji iji iji ij
iji iji iji iji iji iji tYiji iji iji iji iji ij ij

"As we can read here"

[cerberusss]

As we can read here

I can't read, you insensitive clod!

Savannah

Didn't she die? It was certainly a waste of a hottie...

Debian amateurs

[Doc+Ruby]

What exactly is wrong with the packages server now? What are they doing to fix it, for so long? ETA? Why don't they put some info on the (disabled) homepage? Not exactly a system that my old Wall Street clients would rather move to, from Solaris.

Re:Debian amateurs

This is typical Debian. The problem with having teenagers in charge of important tasks is that sometimes mommy and daddy has chores for them to do around the house and it interferes with their ability to complete the job on time. Also since they still have school to worry about they also have homework and exams.

Re:Debian amateurs

I've had no troubles.

Considering the price, it's the best service ever.

If you don't like it, shell out cash and commit into slavery with some money-sucking corporate monstrosity.

Other services like savannah/sf.net?

[Kent+Recal]

I was looking for a pub cvs + bug tracker service a while ago and this reminds me.

Are there any alternatives to sf.net and savannah around? I like the feature list of sf but the web-interface is a nightmare, esp. the bugtracker.

Can anyone recommend a good bugtracker (service or software)?

Re:Other services like savannah/sf.net?

berlios

LET'S GET RETARDED

in here! fp45

offtopic:GFDL

YOur comments is interresting, but totally offtopic here.

grsecurity?

[curious.corn]

grsecurity is a promising mechanism to un-root a linux kernel based system: ipaddr, user or group based roles open or deny access to privileged operations without ever having uid=0 to begin with. It's a bit complicated to use but the system can auto-learn and generate these policies. Also, the system includes PaX which does some neat things like scramble the stack to thwart buffer overflows, non executable pages, etc... I've played with both (well, Mandrake secure kernels have grsec compiled in, not shure about pax) and although I still can't figure out (read: "ready made & nicely packaged ;-)") all of it but it does give the warm & fuzzy feeling it makes a difference...

Xen cf VMWare?

[midgley]

Is Xen going to be a FLOSS VMWare?

I'm not going back until...

[embobo]

...they provide extra tasty-crispy secuity.

That's not what I call "back online"

[Fefe]

a) they firewalled ICMP echo (WTF?!?)
b) cvs pserver is not available and apparently never will be again. So I went through my checked out gcc source tree and changed all the CVS/Root files to their new scheme, but it didn't work, "directory not found".
c) I would have double checked with the webcvs, but that's also not operational.
d) The other option would have been to download a snapshot from the download area, but the download areas are also not available. OK ok, for gcc the download area is somewhere else, but for all the other projects?!

This begs the question: what _is_ back online? The web server with the note that they are back online?

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Sorry, folks, but I don't like people who discontinue all the important features and then say it's for security reasons. That's bullshit.
I would help, but I didn't see them asking for help anywhere.

Re:That's not what I call "back online"

[slamb]

a) they firewalled ICMP echo (WTF?!?)

I imagine the thinking goes "ha ha! we no longer provide a useful diagnostic as required by the standard. There is no way they will know our computer is here now, despite running a high-profile service. Now everything is secure."

It's the same thinking that slashdot uses.

Okay, in fairness, there are some well-respected security sites that do this also. Case in point: securityfocus.com, which hosts the bugtraq mailing list. I still think it's a stupid idea, though.

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Well, that's still not ideal. Here's one fundamental pserver flaw which rarely gets talked about: it does not authenticate the server at all. So it would be easy to spoof and send your own compromised code to whoever does an anonymous checkout. And sending compromised code to people is the real goal of someone who would crack the Linux BK->CVS gateway, the Debian machines, the Gentoo machines, and/or Savannah.

I bet other sites like SourceForge would be doing this if they had the CPU cycles to spare. But cryptography is expensive and SourceForge's CVS setup is slow already.

As powerful as ports

[ebuck]

Simply noting that ports works well, and is powerful isn't a compelling reason to shift from RPM, apt, or whatever. Ports needs to be so much better than alternatives that people flock to it in it's own right.

the *BSDs have a lot going for them, and ports is their crown jewel, but I'm getting tired of claims of superiority because they use a different packaging system. The one-command-line update of a system isn't unique to BSD, or even to Linux. RPM has yum (or up2date if you prefer), apt has apt-get, and even windows has something. Claiming that Linux is "good, but when will it catch up to having ports" is the same gripe as claiming that Linux is "good, but when will it run MS Word"

At least running MS Word has a compelling business purpose, but running ports is just the desire to pick your own flavor. If nobody makes horseradish ice cream, perhaps you should make your own.

Why do it wrong again?

No Grsecurity? (For PAX mostly.) No RSBAC? No SSP compiled kernel to protect from the buffer overflows in kernel?

Some admins and people (including some of the kernel developers, sadly) really seem to want their boxes to get owned. Really.

Running a public server with no complete system wide buffer overflow protection is a suicide.

packaces package

[Doc+Ruby]

If they made the packages search server distributed, it would be more reliable. Like packaging the database server, schema and data into a .deb. Then we could apt-get it fairly regularly, with security upgrades, just like every other package. Save them CPU cycles and bandwidth bottlenecks. This Fall is like a black hole for finding packages.

Ressurection?

[tommck]

How do you bring a dead porn star back online??

Would chroot have stopped this attack?

Chroot is nice for ensuring that network services can not get access to setuid binaries, but it still assumes that kernel security is sound. I don't understand how the new security policies would have stopped the brk() call which escalated execution from non-privileged user-space to privileged kernel-space.

Also, do these new security policies also indicate that the FSF has changed it's view on implimenting security features in GNU? Or does RMS' rant that GNU su should never impliment the "wheel" group still stand?

FUCK YOU GNU FAGGOT FANBOY MOTHERFUCKER!

MAYBE SOME OF US ARE OFF DOING OTHER THINGS WITH OUR LIVES RATHER THAN SUCKING ON STALLMAN'S THUMBCOCK AND KEEPING UP WITH HIS LOSER SOFTWARE SHIT!

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_
g_______________________________________________g_ _
o_/_____\_____________\____________/____\_______o_ _
a|_______|_____________\__________|______|______a_ _
t|_______`._____________|_________|_______:_____t_ _
s`________|_____________|________\|_______|_____s_ _
e_\_______|_/_______/__\\\___--___\\_______:____e_ _
x__\______\/____--~~__________~--__|_\_____|____x_ _
*___\______\_-~____________________~-_\____|____*_ _
g____\______\_________.--------.______\|___|____g_ _
o______\_____\______//_________(_(__>__\___|____o_ _
a_______\___.__C____)_________(_(____>__|__/____a_ _
t_______/\_|___C_____)/______\_(_____>__|_/_____t_ _
s______/_/\|___C_____)_______|__(___>___/__\____s_ _
e_____|___(____C_____)\______/__//__/_/_____\___e_ _
x_____|____\__|_____\\_________//_(__/_______|__x_ _
*____|_\____\____)___`----___--'_____________|__*_ _
g____|__\______________\_______/____________/_|_g_ _
o___|______________/____|_____|__\____________|_o_ _
a___|_____________|____/_______\__\___________|_a_ _
t___|__________/_/____|_________|__\___________|t_ _
s___|_________/_/______\__/\___/____|__________|s_ _
e__|_________/_/________|____|_______|_________|e_ _
x__|__________|_________|____|_______|_________|x_ _
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Read the manual and STFU

For fucks sake, read the manuals. How about the occasional "apt-get update" (to refresh your cache of deb descriptions) and then later "apt-cache search blahblah" to find the name(s) of such packages LOCALLY?

Why do you use some web-based search thingy anyway? Are you stupid or something?

Your "old Wall Street clients" apparently have money to spare (Solaris). I do not understand why they hired some clueless person like you.

Re:Read the manual and STFU

[Doc+Ruby]

Wall Street has money to spare on doing it productively. When you get into junior high school, foolish Anonymous Coward, you'll meet some people who know how to *work together*, instead of always doing everything for themselves from scratch. Until you learn to play nicely, don't expect the clueful like me to even bother to school you.

idiot

its not goatse.cx

its called lastmeasure you fucking retardard moron

MOD PARENT UP!

How was this not modded Funny?