Savannah Back Online With Extra Security

depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."

Congratulations

[xyzzy]

On yet another slashdot posting with absolutely zero informative content (except possibly to people who already knew what the article meant).

Re:Congratulations

[shnarez]

It's a slow news day, whatcha want. :-)

Re:Congratulations

[AKAImBatman]

On yet another slashdot posting with absolutely zero informative content

Drats. Here I was hoping that they had brought back the good ship Savannah.

Re:Congratulations

[Jacek+Poplawski]

I am afraid you are wrong. Savannah is very important website. Many free projects are hosted there (for example mldonkey), and with whole site disabled development was almost completly stoped for many days.

Re:Congratulations

[depesz]

my informaation was not long because i assumed that all (or most of) the people reading slashdot know:

1. what savannah is
2. that is was down due to security compromise

plus, more information about what was changed and why can be found on the site that i gave link to.

of course it might be wrong assumptions, so next time i'll post a information to slashdot i'll remember about it, and make myself verbose. (depesz --verbose post)

depesz

Re:Congratulations

[sg_oneill]

Ignore em depesz. I know , as do most IT folk who have anything vaguely resembling a clue.

Unfortunately some folk see it better to critisize what they don't understand rather than.. oh... say ... ask a question that leads to an answer that informs and delights other.

Had it been asked, one could of then replied "Savannah is GNU/FSF's version of Sourceforge without the proprietry bits or non free projects.

Re:Congratulations

[archen]

I was hoping it was this savannah myself.

Re:Congratulations

[xyzzy]

I wasn't trying to bitch you out as the submitter, but the "editors" of the site. No, not everyone knows the two points you stated, but the script kiddies^H^H^H^H^H^H^H^H^H^Heditors should have known that, not you.

Re:Congratulations

[YOU+LIKEWISE+FAIL+IT]

Well, mark it down as overrated if you must, this comment made me laugh out loud.

Savanah is back online again

[rxed]

not anymore. is been slashdoted. :-)

Re:Savanah is back online again

[xie]

Actually they are back "online" but reading here it seems most things won't be functional till "early January 2004".

Re:Savanah is back online again

[DAldredge]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Re:Savanah is back online again

[sg_oneill]

The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

Just read my journal. It explains some of what has happened.

Who modded that troll? Geez. Read the journal article. The guy just got booted as a Hurd maintainer because he was worried the GNU doc licence is to non-free.

Also dude, you should submit your story onto newsforge or something. Its worrying.

Re:Savanah is back online again

[Demonspawn]

Highly intersting is http://www.gnu.org/philosophy/bsd.html where GNU themselves state that the Original BSD license is "too restrictive" as it requires verbatium copying of "too many" advertising clauses.... and then make the GFDL require the same type of crap.

--Demonspawn

Questions

[Scrameustache]

What is Savahna?
Why was it not online?
Why should I care?
Where's the rocketpacks? We were promised rocketpacks...

Re:Questions

[mattjb0010]

What is Savahna?
Why was it not online?
Why should I care?

Why don't you RTFA?

Re:Questions

What is Savannah?

Savannah is a sort of "home base" for GNU Project developers. They can set up web sites for their projects, CVS repositories, mailing lists, post want-ads for developers, etc.

Why was it not online?

Early this month / late last month the system was compromised in some way. I'm not sure if anything was actually damaged or not, but it's best to try to keep things as secure as possible. Hence it was taken offline, reinstalled, and new security procedures have been (and are being) developed.

Why should I care?

If you're not a GNU developer, it has little immediate impact on you. It's one of those "just sharing" stories. :-)

Where's the rocketpacks?

I don't know, but I know that I don't have them.

Re:Questions

[HolyCoitus]

There was an article? Oh man... Are there usually articles attached to these little blurbs? I knew I had to be missing SOMETHING... I just assumed everyone knew more than me.

Re:Questions

[rifter]

"Point is TFA should be properly introduced"

You were given a site at gnu.org (if you don't know what GNU is, why are you reading /.?), told what had happened, and what the current status of the site was. What part of that didn't you understand?

First off, there wasn't a Fucking Aricle. Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something).

Now, there was an earlier slashdot article that said it was going offline. That article IIRC told more about what the hell savannah was, and why it went down, etc. That was an adctual informative article, and, surprisingly, is linked to an article.

Savannah is more than just a website, so obviously you did not know what it was either but you want to look like a smartass. Congratulations, you have succeeded in looking like a smartass.

Re:Questions

[mattjb0010]

Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Re:Questions

[rifter]

"Yes there was a link to savannah.gnu.org, but there is not a lot of information about it on the front page, except that the services provided by savannah.gnu.org are now online (except not all, or something)"

There was also a link to the forums, stating that the system had been cracked. Try reading the /. frontpage to start with, next time you don't want to look like a stupid troll.

Whatever. The point, which you seem to have missed, is that this is the Laziest Slashdot Article Ever. Not only was there no information in the blurb, but there was not even a linked article for crying out loud! I mean granted no one reads them anymore, but jiminey crikers!

Re:Questions

[hak+hak]

Savannah is not just for GNU developers; anyone can base their free software project there. It's just that Savannah itself is the official website for many GNU packages.

Re:Questions

[erlenic]

What is Savannah?
Why was Savannah not online?

From the looks of it, Google had no idea that the city of Savannah, GA in the US was offline. Come to think of it, neither did I. Well, I'm happy for everyone that lives there. I can't imagine living through several weeks of my city being offline.

Re:Questions

[MicroBerto]

Not only that, but I spent a minute on their websites and found nothing. What's a web site that doesn't tell its readers WHAT they are? Terrible.

Re:Questions

[Lost+Race]

Where's the rocketpacks? We were promised rocketpacks...

Quake.ihoc.net! Rocketpacks for all since 1999.

Re:Questions

[Narchie+Troll]

"This web site (called Savannah) is a central point for development, distribution and maintenance of GNU Software."

The first line at the top of http://savannah.gnu.org. What the fuck are you smoking?

Security ?

[fewnorms]

And yet they still use Apache 1.3.26? Which by now is known to have some nice exploits and other faults ... no disrespect to apache here though, it's still far superior to that IIS crap.

Re:Security ?

[damiam]

It's quite likely that that's a vendor version (from Debian stable?) that has had all relevant bugfixes and patches backported by the vendor. I really doubt they'd use the vanilla 1.3.26.

Re:Security ?

[MyHair]

Debian backported the security fixes to its stable release of 1.3.26. I seem to be too tired to find a relevant link to support this. Sorry. I'm also too lazy to verify that Savannah is running Debian, but it's a pretty safe assumption I think.

Re:Security ?

[LnxAddct]

What's up groupie! I'll bet you've never even used Apache.

Re:Security ?

[wobblie]

No one in their right mind who wants to run a stable system updates versions to solve security problems; you use a patch against the version you are running. Things are less likely to break this way.

Thanks GNU we love YOU

[after]

Awesome.

Although, I wish Savannah had some sort of system where I could do installation of software similar in the way that FreeBSD does: the ports collection.

There are a lot of cool program there that I use daily, and I would like to have them all upgraded and manageable through a simple collection of applications (like the package managers for the ports collection.)

Either way, manager or no manager, there are some applications that I wanted to go get so Ill go do that now.

Thanks GNU we love YOU.

Obligatory Stallman Lingo

[toupsie]

Savannah wasn't hacked, it was GNU/0wn3d.

Xen for better speration then chroot?

[redhat421]

When I looks a intrusions like this, I wonder if using something like Xen is a perfect fit for protecting projects from each other

or perhaps as a backup known good environment.

Re:Xen for better speration then chroot?

[lkaos]

well.. Xen is designed to run 100 VMs at once. I think limiting Savannah to 100 projects is a bit restrictive.

Using a chroot and only letting things run in that chroot'd environment as a lesser user is pretty much as good as long as we can avoid kernel holes. Of course, this was the original problem....

All security problems?

[cperciva]

all security problems are resolved

I rather doubt that. Perhaps all security problems of which the server administrators are aware have been resolved, but there are definitely going to be other security problems left.

Re:All security problems?

Thanks Mr Precise. We really couldn't have figured that out.

Re:All security problems?

[cperciva]

Quoth the AC:
So in real life we consider only known problems as "problems". Same goes with vunlerabilites also.

Personally, I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

Re:All security problems?

[cburley]

I consider vulnerabilities of which I am not aware to be far greater problems than vulnerabilities of which I am aware.

I'm curious, then: where do you get the patches you apply to close the vulnerabilities of which you are not aware?

Re:All security problems?

[cperciva]

where do you get the patches you apply to close the vulnerabilities of which you are not aware?

I don't, obviously. But I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND), on the basis that there are likely other (unknown) vulnerabilities.

Re:All security problems?

[cburley]

I avoid running software which has a history of security vulnerabilities (eg, sendmail, BIND)

Ah, okay, I see what you mean. I run qmail, myself, and haven't put up a nameserver yet (but when I do, it'll be djbdns, not BIND).

its a dumb tub-girl thang - again

[polished+look+2]

its some forwarding mechanism via javascript at http://nero-online.org/lastmeasure/ and has some kind of code like "if(navigator.appName == "Microsoft Internet Explorer")" and goes to url="http://snakefinger.net/havefun/index.html";

Answers

Savannah is GNU's answer to SourceForge. Some GNU people don't like some of SF's terms for usage, so they run their own sf-style site.

It was offline because it was compromised, presumably by the brk() hole recently discovered in Linux 2.4.x. (Fixed in the latest version.)

You should care because now the authors of your favorite GNU software can be more productive. It also has serious implications to Linux 2.4 security.

I don't know anything about rocket packs.

What took them so long?

[keesh]

It took them weeks to realise that they'd been owned and months to fix anything. I think they need a few lessons from the Gentoo people...

Re:What took them so long?

[moneymaker]

Because that's when they kept finding vulnerabilities in the cvs pserver

Re:What took them so long?

[axxackall]

pserver??? Why pserver, which is unsecure by design? Why not ssh?

I am not even asking why CVS, which was never designed for security at all. Well, in fact CVS was never designed at all - it was a set of patches to RCS. If you need a really well-thought and well-designed and well-implemented VS/CM you should check Aegis or upcoming Subversion.

Re:What took them so long?

[LetterJ]

I've been using Subversion for about 6 months and, other than the administration inconveniences of database changes (that are part of working with pre-1.0 software), I've been loving it. I also provide it to my customers as part of our $99/year software subscription and they've been loving it as well. Built-in web access through Apache 2 and the fact that you can do remote work over port 80 make it a pretty cool setup. If you've been using CVS, I have one thing to say: renaming files while retaining history.

Re:What took them so long?

[naasking]

Actually, you should check out OpenCM. (soon to make it's 1.0 release).

Re:What took them so long?

[Mr.Ned]

The Debian people, no slouches, didn't notice right away, and may not have if there hardware didn't react poorly to the rootkit. The Gentoo compromise was on a completely different scale - to restore the computer to working order, they just plowed the hard drive, reinstalled, and then copied the data from other mirrors. Unfortunately, this is not so easy for Savannah - they host a lot of projects and aren't just running rsync. Savannah wasn't just another mirror, it was the central repository.

Re:What took them so long?

[CentrX]

What? The Debian people reacted in a little over a day.

Totally fixed!

[fm6]

... all security problems are resolved ...

That's the kind of sloppy thinking that got them in trouble in the first place. Try, "all known security problems are resolved"!!!

Re:Security Info

[Jake+Dodgie]

Don't bother, clicking the link, No CERN there, its just Goat Sex Man again.

Re:MOD PARENT DOWN - Goatsex Link!

[mattjb0010]

Why mod people up without actually reading the fucking link? I mean why? How can you justify giving someone mod points without seeing whats posted?

The + mod points were given before the redirection on the site was changed.

Re:Obvious enough

[GoofyBoy]

1. What is Savannah?
2. What was the security problems?
3. Why should I or Developers care about this?
4. Why was it down for several weeks?

Not something that can be answered with moving a mouse around and 1/2 a second.

No LIDS?

[Malcontent]

Does anybody know why they didn't implement something like LIDS?

That doesn't make much sense

[Ars-Fartsica]

Limiting a ports-like system to only Savannah-hosted projects would be of little utility. The joy of ports is that you can find every supported port, regardless of origin.

That's one down (er, back up)...

[kcbrown]

...and at least one more to go...

Sigh...

Oh lord.

[Blue+Eagle+26]

Nothing like welcoming them back online with a good ol' slashdotting!

If only the same could be said...

[An+Anonymous+Hero]

... of packages.debian.org

Re:If only the same could be said...

[Mondongo]

Oh yeah. It's been weeks since I could download packages off the web. Hasn't anyone set up a mirror by now?

Whoops - wrong Savannah

[Anomalous+Cowturd]

As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational.

So, was I the only person who read the headline, *and* the blurb, and immediately thought of something completely different?

Debian still down

I wonder what's cooking over at Debian. Everyone else seems to have gotten their services back up and running. Are GNU and Gentoo being too hasty or is Debian just being the slow boat as usual?

Re:Debian still down

[Ben+Hutchings]

Debian has gradually been bringing services back online as the relevant files are verified and new passwords and keys generated. They are also tightening security in some ways, e.g. dropping pserver access to CVS servers. Alioth and www.debian.org are the latest services to be restored.

GNU FTP mirror

Does anyone know when some of the "RSN" (Real Soon Now) files will be back on the GNU FTP archive? Some files have been unavailable since August. Not sure if it's connected with this Savannah thing.

Debian amateurs

[Doc+Ruby]

What exactly is wrong with the packages server now? What are they doing to fix it, for so long? ETA? Why don't they put some info on the (disabled) homepage? Not exactly a system that my old Wall Street clients would rather move to, from Solaris.

Other services like savannah/sf.net?

[Kent+Recal]

I was looking for a pub cvs + bug tracker service a while ago and this reminds me.

Are there any alternatives to sf.net and savannah around? I like the feature list of sf but the web-interface is a nightmare, esp. the bugtracker.

Can anyone recommend a good bugtracker (service or software)?

grsecurity?

[curious.corn]

grsecurity is a promising mechanism to un-root a linux kernel based system: ipaddr, user or group based roles open or deny access to privileged operations without ever having uid=0 to begin with. It's a bit complicated to use but the system can auto-learn and generate these policies. Also, the system includes PaX which does some neat things like scramble the stack to thwart buffer overflows, non executable pages, etc... I've played with both (well, Mandrake secure kernels have grsec compiled in, not shure about pax) and although I still can't figure out (read: "ready made & nicely packaged ;-)") all of it but it does give the warm & fuzzy feeling it makes a difference...

Xen cf VMWare?

[midgley]

Is Xen going to be a FLOSS VMWare?

I'm not going back until...

[embobo]

...they provide extra tasty-crispy secuity.

That's not what I call "back online"

[Fefe]

a) they firewalled ICMP echo (WTF?!?)
b) cvs pserver is not available and apparently never will be again. So I went through my checked out gcc source tree and changed all the CVS/Root files to their new scheme, but it didn't work, "directory not found".
c) I would have double checked with the webcvs, but that's also not operational.
d) The other option would have been to download a snapshot from the download area, but the download areas are also not available. OK ok, for gcc the download area is somewhere else, but for all the other projects?!

This begs the question: what _is_ back online? The web server with the note that they are back online?

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Sorry, folks, but I don't like people who discontinue all the important features and then say it's for security reasons. That's bullshit.
I would help, but I didn't see them asking for help anywhere.

Re:That's not what I call "back online"

[slamb]

a) they firewalled ICMP echo (WTF?!?)

I imagine the thinking goes "ha ha! we no longer provide a useful diagnostic as required by the standard. There is no way they will know our computer is here now, despite running a high-profile service. Now everything is secure."

It's the same thinking that slashdot uses.

Okay, in fairness, there are some well-respected security sites that do this also. Case in point: securityfocus.com, which hosts the bugtraq mailing list. I still think it's a stupid idea, though.

So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

Well, that's still not ideal. Here's one fundamental pserver flaw which rarely gets talked about: it does not authenticate the server at all. So it would be easy to spoof and send your own compromised code to whoever does an anonymous checkout. And sending compromised code to people is the real goal of someone who would crack the Linux BK->CVS gateway, the Debian machines, the Gentoo machines, and/or Savannah.

I bet other sites like SourceForge would be doing this if they had the CPU cycles to spare. But cryptography is expensive and SourceForge's CVS setup is slow already.

As powerful as ports

[ebuck]

Simply noting that ports works well, and is powerful isn't a compelling reason to shift from RPM, apt, or whatever. Ports needs to be so much better than alternatives that people flock to it in it's own right.

the *BSDs have a lot going for them, and ports is their crown jewel, but I'm getting tired of claims of superiority because they use a different packaging system. The one-command-line update of a system isn't unique to BSD, or even to Linux. RPM has yum (or up2date if you prefer), apt has apt-get, and even windows has something. Claiming that Linux is "good, but when will it catch up to having ports" is the same gripe as claiming that Linux is "good, but when will it run MS Word"

At least running MS Word has a compelling business purpose, but running ports is just the desire to pick your own flavor. If nobody makes horseradish ice cream, perhaps you should make your own.

packaces package

[Doc+Ruby]

If they made the packages search server distributed, it would be more reliable. Like packaging the database server, schema and data into a .deb. Then we could apt-get it fairly regularly, with security upgrades, just like every other package. Save them CPU cycles and bandwidth bottlenecks. This Fall is like a black hole for finding packages.

Ressurection?

[tommck]

How do you bring a dead porn star back online??

Re:Obvious enough

[Narchie+Troll]

However, it can be answered by clicking the fucking link.

Re:Read the manual and STFU

[Doc+Ruby]

Wall Street has money to spare on doing it productively. When you get into junior high school, foolish Anonymous Coward, you'll meet some people who know how to *work together*, instead of always doing everything for themselves from scratch. Until you learn to play nicely, don't expect the clueful like me to even bother to school you.