Menu
▾
▴
Re: [fetchmail-devel] FYI - Berlios compromise
|
From: Matthias A. <mat...@gm...> - 2010-01-14 01:26:22
|
Am 13.01.2010, 22:57 Uhr, schrieb grarpamp <gra...@gm...>: >> http://lwn.net/Articles/369633/rss >> Apparently no code was tampered with. > > That would be pretty hard to prove if the only source for > comparison was the code repository itself and it's descendants, > such as backups, mirrors, releases and developer/user copies. > At least the fetchmail releases are signed via OpenPGP. > That's a good thing. > But how many of them, dating back to 2005, were rolled > from, or co mingled with, that repository? > Now if the repository had builtin cryptographic checksums, > as does git-scm.com, it would be quite easy to check and > thus leave off the 'apparently', and say much more > authoritatively: 'no code was tampered with'. > And since releases would include a sig over the hash of the > revision used to create the release, anyone on the planet > could verify their repo copy was also good. > code.google.com offers git repos, etc. Well, fetchmail's SVN was hosted on BerliOS for a relatively short time, short after the handover from ESR to Rob, Graham and yours truly -- and only until the maintainers were pissed with the "quality" of the BerliOS SVN offering. SVN (1.0.X at the time) required frequent database recoveries at that time when used with svn+ssh, and Graham Wilson (a former maintainer) has been courteously hosting the repository outside of BerliOS since then, with https:// access, without a hitch. Graham's repository was apparently created on 2005-08-11, which pre-dates the PHP file (2005-12-something) shown on Heise's screenshot of the defaced BerliOS page. To be frank, BerliOS system administration is virtually nonexistent, the average support ticket response times approaches infinity, and given the little effort invested in its system administration, things such as break-ins must happen sooner or later. There's a truckload of software on the BerliOS cluster that I wouldn't allow on my computers. Not the least of which to be mentioned is PHP... but let's stop the ranting here. BerliOS is free of charge and feature-rich and I have better network connectivity there. > Oh wait, I'm dreaming again, the world will never change :) > Thanks for fetchmail though, been using it daily for years. Actually, I've tried to migrate the SVN repo to Git, but I find the SVN-to-Git-tools insufficient, and it takes a long time even on reasonably powered computers (Phenom II X4 w/ sufficient RAM and the fastest 7200/min HDD I could find) and I'm not 100% convinced I've received a faithful representation of the SVN repo. I've also tried to import into Mercurial, which went as smooth as a gentle breeze, but I lack experience with Mercurial in production and therefore don't dare put it to production. -- Matthias Andree |
