lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 06 Aug 2004 10:29:36 +0200
From: Tilman Schmidt <Tilman.Schmidt@...st.de>
To: "Greg A. Woods" <woods@...rd.com>
Cc: Delian Krustev <krustev@...stev.net>, bugtraq@...urityFocus.com
Subject: Re: CVS woes: .cvspass

Greg A. Woods schrieb in <bugtraq@...urityFocus.com>:
> [ On Thursday, August 5, 2004 at 12:52:10 (+0300), Delian Krustev wrote: ]
> 
>> There's a site outhere. It's sf.net . They demonstrate, with the number
>> of projects being hosted there (with pserver access), You're not right
>> again.

> In the scenario you speak of sf.net has no real requirement for
> accountability -- their offerning using CVSpserver is effectively the
> same as providing anonymous access.  Sf.net doesn't care who the real
> humans are in this case -- they simply do their best (which isn't always
> perfect) to keep whole projects from interfering with each other.

In fact, you are even more right than you seem to think. Sf.net's
pserver access is actually anonymous and read-only. Project data in
the SF repository is considered public, and open to anonymous read
access anyway. Their pserver access doesn't add anything to that.

> Meanwhile, IIUC, sf.net does also offer secure SSH access to systems
> hosting CVS repositories and they use true system identities for eash
> SSH account, and presumably with this offering there's normally one (or
> maybe more) unique system accounts for every real human using this

That is so, and SSH access, with a system identity that is a member
of the project's development team, is required for committing changes
to a project repository.

> service, though of course the responsibility of verifying the uniqueness
> of system identities will be on the shoulders of the CVS project admins,
> and perhaps not on sf.net themselves.

Indeed. The registration form asks you to enter a real name, and
a valid E-mail address which is verified by a confirmation E-mail,
but there is no verification beyond that.

-- 
Tilman Schmidt                       E-Mail: Tilman.Schmidt@...st.de
Bonn, Germany
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ