[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sdx-developers] TR : Status of savannah.{gnu,nongnu}.org

From: Rasik Pandey
Subject: [sdx-developers] TR : Status of savannah.{gnu,nongnu}.org
Date: Tue, 23 Dec 2003 12:21:27 +0100


 >-----Message d'origine-----
 >De : Bradley M. Kuhn [mailto:address@hidden 
 >Envoyé : mardi 23 décembre 2003 07:16
 >À : address@hidden
 >Objet : Status of savannah.{gnu,nongnu}.org 
 >Hash: SHA1
 >                                         Monday 22 December 
 >2003, 19:51 EST
 >Dear Savannah Users,
 >As you know, and have 
 >been down for a number of weeks due to a system crack.  
 >Thanks to the contributions of many people -- most notably 
 >Mathieu Roy, Jim Blair, and Paul Fisher -- the system is 
 >working again for existing projects.
 >We have implemented a new security infrastructure that uses 
 >chroot'ed environments to isolate each project.  We have of 
 >course tightened up security, but even if that tightened 
 >security is compromised for a particular project, the cracker 
 >can most likely only impact that one project.  Please read 
 >this whole statement in detail before beginning work again.
 >As part of the security changes, there are nine user-visible 
 >changes of particular interest.  Six of those changes are 
 >implemented now (three of which are temporary), and two will 
 >be implemented later.  They are as
 >   (0) All passwords were invalidated.  You will need use the "Lost
 >       Password" option to regain access.  (Click on "Login 
 >via SSL" and
 >       then the "[Lost Password?]" link.)  Expect an email 
 >shortly once
 >       you've clicked that link.  If you do not receive the 
 >email within a
 >       very short time period to the address you had on file with your
 >       account, please write to <address@hidden>.
 >       Once you have access again, please check the developer and
 >       administrator lists for all your projects, and be sure that you
 >       recognize all the email addresses and user accounts attached to
 >       your projects.  It is up to each user to vigilantly 
 >check the other
 >       authorized users, just as it was to check the integrity of your
 >       source.
 >   (1) All authorized SSH keys have been removed from the 
 >database.  Once
 >       your account is reactivated, you must again upload 
 >your SSH key.
 >       We now only accept SSHv2 keys.  Although the web interface will
 >       allow you to upload SSHv1 keys, they will not function 
 >to give you
 >       access.  Only SSHv2 keys will provide access and 
 >savannah will only
 >       accept SSHv2 connections.
 >   (2) Anonymous CVS access will continue, but pserver access has been
 >       discontinued.  We realize that many have become 
 >accustomed to this
 >       form of anonymous access, but we found many security 
 >problems in
 >       pserver and we must avoid it.  Anonymous access can 
 >now occur via
 >       SSHv2.  To do so, use the following CVSROOT:
 >              :ext:address@hidden:/cvsroot/PROJECT
 >       or
 >              :ext:address@hidden:/cvsroot/PROJECT
 >       So, for example, to get an anonymous checkout of the GNU Emacs
 >       sources, you would run the following on the bash command line:
 >              export CVS_RSH="ssh"
 >              cvs -d 
 >:ext:address@hidden:/cvsroot/emacs co emacs
 >       The first time you do this, you will be prompted by SSH to
 >       authenticate the server's key fingerprint.  See (3) below for
 >       details.
 >       Note that since only SSHv2 is accepted, you must be 
 >sure that your
 >       ~/.ssh/config does indicate use of "Protocol 1" with
 > and
 >       If you are absolutely unable to use this method for anonymous
 >       access, and you rely on anonymous access, please contact
 >       <address@hidden>.  Since SSH is now ubiquitously
 >       available on Free Software systems, we believe that 
 >requiring SSH
 >       to be installed locally to gain anonymous access from 
 >savannah is
 >       not burdensome.  If it turns out to burden you, please 
 >contact us.
 >       In fact, this new method authenticates and secures all 
 >       access, and anonymous users are now safe from 
 >       attacks when they verify the SSH host keys.
 >   (3) The host SSH keys for,,
 >, etc. have changed.  They are as follows:
 >           DSA 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5
 >           RSA 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5
 >       You will prompted for these the first time you use SSH 
 >to connect.
 >       If you have older keys stored in your known_hosts 
 >file, you may get
 >       a message that says there is a "nasty problem".  If 
 >so, remove the
 >       offending entry from your ~/.ssh/known_hosts, and 
 >reconnect.  SSH
 >       will prompt you to authenticate anew with one of the 
 >keys above.
 >   (4) Temporarily, we are unable to approve new projects on 
 >savannah.  We
 >       expect to begin accepting new projects before the end 
 >of January
 >       2004.  We have to reimplement project creation scripts 
 >to adhere to
 >       the new chroot structure.
 >   (5) Temporarily, the file distribution areas for releases are not
 >       functioning.  We hope to make them functional again in 
 >January 2004
 >       and secure them by using a similar system to that now used on
 >   (6) Temporarily, all web CVS trees are not functioning.  It is
 >       currently not possible to work on the CVS trees for 
 >websites using
 >       savannah.  We hope to fix this in mid-January 2004.
 >   (7) In early January 2004, we will record for each project 
 >whether or
 >       not the developers have checked their integrity using 
 >the data in
 >       previously-posted announcements.  The indicator will 
 >be similar to
 >       the "is GNU"/"is not GNU" indicator on the main project page.
 >   (8) You will later be required to upload a GnuPG key.  We 
 >are working
 >       on changes that will require GPG-signing of all CVS 
 >commits.  That
 >       functionality is not yet available, but when it is, we plan to
 >       make it mandatory to ensure the integrity of all 
 >software hosted
 >       on Savannah.
 >Finally, I want to thank all of your for your patience while 
 >we worked to resolve these problems.  I know that many of you 
 >have been considering for the past few weeks switching to 
 >another project development site.  I don't blame you for 
 >considering that.  However, I ask now that you decide to 
 >stay.  We have learned from this experience how to harden the 
 >system to be less susceptible to cracking, and the changes 
 >we've made will not only help to prevent future cracks, but 
 >will mitigate the damage such a crack can cause.  The 
 >GPG-signing features that we plan to add in the coming months 
 >will (at least at first) be unique among project hosting 
 >sites, and ensure the integrity of your software to the 
 >greatest degree that is humanly possible.
 >Meanwhile, Loic Dachary has coordinated the acquisition of 
 >new, redundant servers in France, and we will work over the 
 >coming months to make them (at first) read-only mirrors of 
 >the existing savannah (that can be turned immediately live 
 >upon the occurrence of the crack).  In addition, as Executive 
 >Director of FSF, I am committed to implementing protocols and 
 >procedures over the next few months designed to limit 
 >downtime to a matter of hours in the case of a crack.
 >This crack comes on the heels of cracks against many other 
 >Free Software project sites; the crack of savannah is not an 
 >isolated incident.  We must work together as a community to 
 >weather these incidents.  For our part, this meant long hours 
 >and late nights over the past weeks to harden the system, and 
 >more hard work to improve our disaster recovery plans.  We 
 >ask that you make a contribution by sticking with us now that 
 >we've hardened the system and work with us to keep the system 
 >secure for Free development and software sharing.
 >Bradley M. Kuhn
 >Executive Director, Free Software Foundation
 >Version: GnuPG v1.2.1 (GNU/Linux)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]