Advertisement
Tag Archives: Security

Introducing HTTPS for Project Websites

We are very excited to offer HTTPS web hosting to all projects. With a single click, projects can opt-in to switch their web hosting from http://name.sourceforge.net to https://name.sourceforge.io Project admins can find this option in the Admin page, under “HTTPS”, naturally 🙂

SourceForge Project Web HTTPS

When a project switches over to HTTPS, the old domain will redirect, so no traffic will be lost or links broken. However, some configuration updates may be necessary if your site contains HTTP references (scripts, image tags, etc). See here for a guide to managing those changes.

This is just one step of many in our continued effort to improve security throughout SourceForge. See our Site News section for a comprehensive list of SourceForge improvements including recent past announcements about multifactor authentication, virus scanning, and more.

Introducing Multifactor Authentication on SourceForge

As part of our ongoing effort to improve security on SourceForge, we have added multifactor authentication. All project developers are encouraged to enable it for their account.

What is multifactor authentication? In short, it means providing something in addition to your password to log in. One of the most common forms of this is using an authenticator app on your phone, which will produce a 6-digit code specific to your account and the current time. When you log in, after entering your password you will be prompted to provide the current code. Backup codes are provided in case your phone is lost. Download or print your backup codes, otherwise you could risk not having any way back into your account.

multifactor-authentication

It’s easy to use, you can get started on your account preferences page. All you’ll need to do is install an authenticator app on your phone and use it to scan a QR code to set it up. Then whenever you log in, just use the app to get the current code. See the multifactor authentication documentation for more info, including how to use it for things like committing code and SFTP.

Future enhancements that we are looking at include alternate authentication with FIDO U2F hardware keys, and showing admins of a project whether other developers have multifactor authentication enabled.

SourceForge now scans all projects for malware and displays warnings on downloads

Starting today, SourceForge will display a warning badge next to the download button on any project that has been flagged as containing malware by our malware scans. Our definition of malware includes adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package of any project on SourceForge.

We’ve partnered with Bitdefender to scan the open source software projects on SourceForge so that users feel more secure in downloading clean, safe software from SourceForge that will not put their machines in jeopardy, nor bundle any adware, malware, or unwanted applications. We will also be running additional scans with ESET.

The top 1000 most popular SourceForge projects, representing 84% of all SourceForge traffic, have already been scanned. The vast majority of them contained no issues, but projects that were flagged for malware were notified, and most of them have rectified the issues already by removing the flagged files. For the few projects that have not addressed the issues, the malware warning badge (screenshot below) will display in red next to the download button. At this very moment, in a process that will take weeks, every last project, even dating back years, will be scanned and will display a warning flag if there are any suspicious files flagged by our virus scanners.

screen-malware-1

Interested parties can click the “Files” tab to see exactly which files in the project were flagged. We’ve also disabled automatic downloads on projects that have been flagged, so a user would manually have to proceed with downloading a file that may contain malware. Project admins will get an additional dashboard that will provide more in-depth details on why a file was flagged and how to address it. Project admins will also be able to submit a support request related to any issue detected by the scanners, and they’ll also be able to request a file be whitelisted once we’ve reviewed it.

screen-malware-2

screen-malware-3

Going forward, all new projects uploaded to SourceForge from brand new user accounts will not be accepted if they are flagged by either Bitdefender or ESET scans upon uploading. Projects from users who have been registered with SourceForge for a certain amount of time will be able to upload projects, but if they are flagged they will display the warning.

As with all virus scanners, the method is not 100% perfect, but we are committed to doing everything in our power to ensure that the open source software hosted and distributed on SourceForge is clean, safe, trustworthy, and free of any adware, viruses, malware, or unwanted applications.

Pandora Flexible Monitoring System


Rich: I’m speaking with Sancho Lerena, and we are speaking about the Pandora FMS Open Source project. And we’re also speaking about the company behind Pandora FMS.

If you’d like to have your project featured on the SourceForge podcast, just drop me a note and we’ll schedule something.

If the embedded audio player below doesn’t work for you, you can download the audio in mp3 or ogg formats.

You can subscribe to this, and future podcasts, in iTunes or elsewhere, at http://feeds.feedburner.com/sourceforge/podcasts, and it’s also listed in the iTunes store.

Tell me how this project got started initially.

Sancho: This began about 8 years ago. I was working in a bank as a security consultant, and I had a lot of spare time. I was working with firewalls, with all systems like BSD, Solaris, AiX. I need to monitor different things – strange things – in that system. And with the usual tools from the big ones like Tivoli and HP – it was pretty difficult to extract information from that system. So I started with a few scripts that just collected data and sent it to me, and the thing started to grow up as an experiment for my day to day work, and after a year or two, the whole thing was something more than a few script. Later I have something – a product which was useful to monitor different kinds of servers – unix servers, Windows servers – I started to monitor network equipment. So I thought that could be something I could do for a living, and I started a company with that idea.

Rich: How is the open source edition related to what you do for your company? Are there some things that you add to that in an enterprise version?

Sancho: The most difficult part of the project was how to make profit from an open source project. So at the first versions, until, I think it was in 2007 or 2008, the product was 100% free. Free as open source, and free for people to pay nothing. We saw in that period that it was very difficult to earn money, mainly because – not because of the license – big companies don’t trust you if all is open. It doesn’t seem professional – for some of them, not for all, but I think it’s difficult. So we focused our strategy to identify what parts of the product will be useful only for big companies. So, our enterprise features are only for big companies. It’s not the same to monitor a small company with 20 servers than to monitor 2000 servers. It’s completely different. So, in Pandora FMS I think 80 or 90% of the features are open. Everybody can just download the package and install and use it. There are thousands of servers using the Open Source. But companies like Telefonica, or other companies in Japan like Rakuten, or Casio, need something specific to monitor a lot of systems in a homogenous way. We call it policies. Probably there is a lot of other applications which use the same approach.

Rich: Where did you get the name for the project? Is it related to the greek myth, or is there some other history behind that?

Sancho: Yeah, that’s it. You need something to warn you if something wrong escapes from the unknown. You need to know. The first logo was an octopus inside a box. Later we added the ‘FMS’ – because “Pandora” is too generic, and it was difficult to search in Google. The ‘F’ initially was for ‘Free Monitoring System’, but someone told me that ‘Free’ is a bad marketing word, so we renamed it as ‘Flexible Monitoring System.’

Rich: How does Pandora compare to some of the competition out there like Nagios?

Sancho: We like to think we are better. The real thing is that the Nagios community is huge, and everybody, when you ask, how do you do monitoring in your company or in your experience, everybody thinks Nagios, because Nagios was the first, or the first in importance to the community. I believe Nagios is not evolving in the same way we do. I think the user interface, and letting the user have the complete power from the console, and not need to enter into screens, or start a process from the shell – it’s very important. And also reporting. It’s one of the most important difference between other solutions and Pandora. Monitoring is very very complex. There’s more than 100 applications for monitoring in the market. There’s a lot of differences between each of them. We like to think Pandora is a horizontal approach, that means you can use Pandora for almost any kind of environment you need. Networking, servers, performance, business applications, reporting, even data mining. Of course, you can integrate all the pieces together. Other applications more focussed on performance, or availability, or even management. Pandora likes to put all these features together.

Rich: On the community side, how involved is the community in the development of the code? Is it primarily your company that develops the code, or do you also have participation from an outside community.

Sancho: The first time we started Open Source, we had some developers who were involved in the project. We have a few developers from the US, another one from Europe, another one from New Zealand. But the kind of development help they provided was only for small features, and not for long-time commitment. More like – I think that feature is OK and I would like to help you do that, or give us suggestions, or bug reporting. Later, when we moved to a more enterprise level, trying to focus on the features big companies need, we lost that kind of contribution, but in exchange we got in contact with companies which were interested in helping us to adapt Pandora to their needs. At this moment we have a full committer relationship, not only for development issues, also about business relationships, with a company in Japan, one of our partners. They have six people in their development team. All of them have access to the repository code. and we have also a company in Ecuador who are helping us also with some development. And we increase a lot of people giving us suggestions, ideas, and of course bug reporting. We have a very populated tracking server – Very active.

Rich: What is in the future for your project? What sorts of new things are you looking at doing in the coming year?

Sancho: We are now working in two different versions. We call it the stable version – we’re probably releasing any time now. It contains just a few new features and a lot of bug fixes, like usual in this kind of development. But we are working also in the next minor version – version 5.2. We are doing now a lot of huge improvements. We are adding the NetFlow feature to Pandora, for free, for Open Source. And we also are adding a new layer for management of different sites of Pandora. We call it metaconsole. We’ll provide a service provider to offer monitoring services to other companies, and be able to manage, why not, 10,000 servers from a single console.

One of the first things I had clear when I started Pandora was that the product should be on SourceForge. Because SourceForge was, for me, the source of knowledge about Open Source projects. It’s the site to be on – to be there. At first we had problems with the product name because it was taken. I had to wait two years until the Pandora name was free again. That’s because your site is really important on the Internet. If it’s an Open Source product, it should be on SourceForge.

Rich: Thank you Sancho for taking the time to speak with me.

Sancho: Thank you too.

Verifying Downloaded Files

When you download a file from SourceForge (or, indeed, from anywhere), there are often mechanisms for verifying that you’ve downloaded the right thing – ie, that nobody has tampered with the file, and that you’re getting what the developers intended for you to download.

The most common way to do this is with a file hash that gets generated with the file is created.

Verifying downloaded files

Each time a file is uploaded, we generate an MD5 hash, and a SHA1 hash of that file, so that you can quickly check whether a file has been tampered with.

In the files interface, click on the “I” information icon next to the file, and you’ll see, as in the image above, two strings labelled SHA1 and MD5. These are cryptographic strings generated from the file itself, which you can verify on your end to ensure that the file you are downloading hasn’t been tampered with somewhere between us and the mirror, or between the mirror and you.

We will also, very soon, be adding those checksum strings to the file download page itself, so that you don’t have to go out of your way to look for it.

Once you have downloaded the file, check to see that the MD5 checksum, or SHA1 checksum, of that file, matches what we list on the site. If they don’t match, notify us, then try downloading from a different mirror.

On Windows, we recommend a tool like md5deep to generate the hashes from the downloaded file. There are also browser plugins that will calculate the checksums on a file as you download it, so that you’re less likely to forget to do it yourself.

On Linux, at the command line:

$ md5sum download.tar.gz
84a3d6aa561b112058ad9aa08a352044  download.tar.gz

$ sha1sum download.tar.gz
b6133cbc973faf908f83fa950574db0fa268480c  download.tar.gz

On Mac OS X, at the terminal:

$ md5 download.tar.gz
MD5 (download.tar.gz) = 84a3d6aa561b112058ad9aa08a352044

$ shasum download.tar.gz
b6133cbc973faf908f83fa950574db0fa268480c  download.tar.gz

Again, if you discover that a checksum doesn’t match, please tell us so that we can do something about it as quickly as possible.

We also strongly encourage project admins to verify your files yourselves on various mirror servers, after you’ve uploaded them, ensuring that what’s on the server matches what you uploaded.