Slashdot Mirror

← Back to Stories (view on slashdot.org)

Savannah Back Online With Extra Security

Posted by michael on from the beefed-up dept.

depesz writes "As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational."

35 of 172 comments (clear)

  1. Congratulations by xyzzy · · Score: 4, Insightful

    On yet another slashdot posting with absolutely zero informative content (except possibly to people who already knew what the article meant).

    1. Re:Congratulations by shnarez · · Score: 2, Funny

      It's a slow news day, whatcha want. :-)

    2. Re:Congratulations by AKAImBatman · · Score: 2, Funny

      On yet another slashdot posting with absolutely zero informative content

      Drats. Here I was hoping that they had brought back the good ship Savannah.

      --
      Javascript + Nintendo DSi = DSiCade
    3. Re:Congratulations by Jacek+Poplawski · · Score: 3, Informative

      I am afraid you are wrong. Savannah is very important website. Many free projects are hosted there (for example mldonkey), and with whole site disabled development was almost completly stoped for many days.

    4. Re:Congratulations by sg_oneill · · Score: 2, Informative

      Ignore em depesz. I know , as do most IT folk who have anything vaguely resembling a clue.

      Unfortunately some folk see it better to critisize what they don't understand rather than.. oh... say ... ask a question that leads to an answer that informs and delights other.

      Had it been asked, one could of then replied "Savannah is GNU/FSF's version of Sourceforge without the proprietry bits or non free projects.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  2. Savanah is back online again by rxed · · Score: 5, Funny

    not anymore. is been slashdoted. :-)

    1. Re:Savanah is back online again by xie · · Score: 5, Informative

      Actually they are back "online" but reading here it seems most things won't be functional till "early January 2004".

    2. Re:Savanah is back online again by DAldredge · · Score: 3, Interesting

      The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

      Just read my journal. It explains some of what has happened.

    3. Re:Savanah is back online again by sg_oneill · · Score: 3, Informative

      The GNU project is probably still too busy getting rid of project maintainers that do not agree to use the restrictive, some would say unfree, GFDL.

      Just read my journal. It explains some of what has happened.

      Who modded that troll? Geez. Read the journal article. The guy just got booted as a Hurd maintainer because he was worried the GNU doc licence is to non-free.

      Also dude, you should submit your story onto newsforge or something. Its worrying.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  3. Questions by Scrameustache · · Score: 4, Insightful

    What is Savahna?
    Why was it not online?
    Why should I care?
    Where's the rocketpacks? We were promised rocketpacks...

    --

    You can't take the sky from me...

    1. Re:Questions by mattjb0010 · · Score: 3, Funny

      What is Savahna?
      Why was it not online?
      Why should I care?
      Why don't you RTFA?

    2. Re:Questions by Anonymous Coward · · Score: 5, Informative
      What is Savannah?

      Savannah is a sort of "home base" for GNU Project developers. They can set up web sites for their projects, CVS repositories, mailing lists, post want-ads for developers, etc.

      Why was it not online?

      Early this month / late last month the system was compromised in some way. I'm not sure if anything was actually damaged or not, but it's best to try to keep things as secure as possible. Hence it was taken offline, reinstalled, and new security procedures have been (and are being) developed.

      Why should I care?

      If you're not a GNU developer, it has little immediate impact on you. It's one of those "just sharing" stories. :-)

      Where's the rocketpacks?

      I don't know, but I know that I don't have them.

    3. Re:Questions by HolyCoitus · · Score: 2, Funny

      There was an article? Oh man... Are there usually articles attached to these little blurbs? I knew I had to be missing SOMETHING... I just assumed everyone knew more than me.

      --
      That's scary.
    4. Re:Questions by erlenic · · Score: 5, Funny
      What is Savannah?
      Why was Savannah not online?

      From the looks of it, Google had no idea that the city of Savannah, GA in the US was offline. Come to think of it, neither did I. Well, I'm happy for everyone that lives there. I can't imagine living through several weeks of my city being offline.

  4. Security ? by fewnorms · · Score: 2, Interesting

    And yet they still use Apache 1.3.26? Which by now is known to have some nice exploits and other faults ... no disrespect to apache here though, it's still far superior to that IIS crap.

    --
    Veni, Vidi, Velcro!
    1. Re:Security ? by damiam · · Score: 5, Informative

      It's quite likely that that's a vendor version (from Debian stable?) that has had all relevant bugfixes and patches backported by the vendor. I really doubt they'd use the vanilla 1.3.26.

      --
      It's hard to be religious when certain people are never incinerated by bolts of lightning.
  5. Thanks GNU we love YOU by after · · Score: 2, Insightful

    Awesome.

    Although, I wish Savannah had some sort of system where I could do installation of software similar in the way that FreeBSD does: the ports collection.

    There are a lot of cool program there that I use daily, and I would like to have them all upgraded and manageable through a simple collection of applications (like the package managers for the ports collection.)

    Either way, manager or no manager, there are some applications that I wanted to go get so Ill go do that now.

    Thanks GNU we love YOU.

  6. Obligatory Stallman Lingo by toupsie · · Score: 5, Funny

    Savannah wasn't hacked, it was GNU/0wn3d.

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
  7. Xen for better speration then chroot? by redhat421 · · Score: 4, Interesting
    When I looks a intrusions like this, I wonder if using something like Xen is a perfect fit for protecting projects from each other

    or perhaps as a backup known good environment.

  8. All security problems? by cperciva · · Score: 2, Insightful

    all security problems are resolved

    I rather doubt that. Perhaps all security problems of which the server administrators are aware have been resolved, but there are definitely going to be other security problems left.

    --
    Tarsnap: Online backups for the truly paranoid
  9. Answers by Anonymous Coward · · Score: 5, Informative

    Savannah is GNU's answer to SourceForge. Some GNU people don't like some of SF's terms for usage, so they run their own sf-style site.

    It was offline because it was compromised, presumably by the brk() hole recently discovered in Linux 2.4.x. (Fixed in the latest version.)

    You should care because now the authors of your favorite GNU software can be more productive. It also has serious implications to Linux 2.4 security.

    I don't know anything about rocket packs.

  10. What took them so long? by keesh · · Score: 4, Informative

    It took them weeks to realise that they'd been owned and months to fix anything. I think they need a few lessons from the Gentoo people...

    1. Re:What took them so long? by axxackall · · Score: 2, Interesting
      pserver??? Why pserver, which is unsecure by design? Why not ssh?

      I am not even asking why CVS, which was never designed for security at all. Well, in fact CVS was never designed at all - it was a set of patches to RCS. If you need a really well-thought and well-designed and well-implemented VS/CM you should check Aegis or upcoming Subversion.

      --

      Less is more !
    2. Re:What took them so long? by LetterJ · · Score: 2, Informative

      I've been using Subversion for about 6 months and, other than the administration inconveniences of database changes (that are part of working with pre-1.0 software), I've been loving it. I also provide it to my customers as part of our $99/year software subscription and they've been loving it as well. Built-in web access through Apache 2 and the fact that you can do remote work over port 80 make it a pretty cool setup. If you've been using CVS, I have one thing to say: renaming files while retaining history.

      --

      The Glass is Too Big: My Take on Things
    3. Re:What took them so long? by Mr.Ned · · Score: 3, Insightful

      The Debian people, no slouches, didn't notice right away, and may not have if there hardware didn't react poorly to the rootkit. The Gentoo compromise was on a completely different scale - to restore the computer to working order, they just plowed the hard drive, reinstalled, and then copied the data from other mirrors. Unfortunately, this is not so easy for Savannah - they host a lot of projects and aren't just running rsync. Savannah wasn't just another mirror, it was the central repository.

  11. Totally fixed! by fm6 · · Score: 2, Insightful
    ... all security problems are resolved ...
    That's the kind of sloppy thinking that got them in trouble in the first place. Try, "all known security problems are resolved"!!!
  12. Re:Obvious enough by GoofyBoy · · Score: 3, Insightful

    1. What is Savannah?
    2. What was the security problems?
    3. Why should I or Developers care about this?
    4. Why was it down for several weeks?

    Not something that can be answered with moving a mouse around and 1/2 a second.

    --
    The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
  13. No LIDS? by Malcontent · · Score: 2, Interesting

    Does anybody know why they didn't implement something like LIDS?

    --

    War is necrophilia.

  14. Oh lord. by Blue+Eagle+26 · · Score: 2, Funny

    Nothing like welcoming them back online with a good ol' slashdotting!

  15. If only the same could be said... by An+Anonymous+Hero · · Score: 2, Interesting

    ... of packages.debian.org

  16. Whoops - wrong Savannah by Anomalous+Cowturd · · Score: 4, Funny


    As we can read here, savannah is back online. After several weeks of downtime, all security problems are resolved, and the service is again operational.
    So, was I the only person who read the headline, *and* the blurb, and immediately thought of something completely different?

    --

    Java: the bastard demon spawn of C++ and Ada

  17. Debian amateurs by Doc+Ruby · · Score: 2, Interesting

    What exactly is wrong with the packages server now? What are they doing to fix it, for so long? ETA? Why don't they put some info on the (disabled) homepage? Not exactly a system that my old Wall Street clients would rather move to, from Solaris.

    --

    --
    make install -not war

  18. Re:Debian still down by Ben+Hutchings · · Score: 4, Interesting

    Debian has gradually been bringing services back online as the relevant files are verified and new passwords and keys generated. They are also tightening security in some ways, e.g. dropping pserver access to CVS servers. Alioth and www.debian.org are the latest services to be restored.

  19. grsecurity? by curious.corn · · Score: 3, Informative

    grsecurity is a promising mechanism to un-root a linux kernel based system: ipaddr, user or group based roles open or deny access to privileged operations without ever having uid=0 to begin with. It's a bit complicated to use but the system can auto-learn and generate these policies. Also, the system includes PaX which does some neat things like scramble the stack to thwart buffer overflows, non executable pages, etc... I've played with both (well, Mandrake secure kernels have grsec compiled in, not shure about pax) and although I still can't figure out (read: "ready made & nicely packaged ;-)") all of it but it does give the warm & fuzzy feeling it makes a difference...

    --
    Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
  20. That's not what I call "back online" by Fefe · · Score: 3, Interesting

    a) they firewalled ICMP echo (WTF?!?)
    b) cvs pserver is not available and apparently never will be again. So I went through my checked out gcc source tree and changed all the CVS/Root files to their new scheme, but it didn't work, "directory not found".
    c) I would have double checked with the webcvs, but that's also not operational.
    d) The other option would have been to download a snapshot from the download area, but the download areas are also not available. OK ok, for gcc the download area is somewhere else, but for all the other projects?!

    This begs the question: what _is_ back online? The web server with the note that they are back online?

    So they discovered that pserver has security bugs. No, really? The solution is to provide pserver cvs in a chroot with a uid that can't write anything and maybe use systrace to disallow nasty operations.

    Sorry, folks, but I don't like people who discontinue all the important features and then say it's for security reasons. That's bullshit.
    I would help, but I didn't see them asking for help anywhere.