[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] RE: Status of savannah : TSP
|
From: |
Eric NOULARD |
|
Subject: |
[Savannah-hackers] RE: Status of savannah : TSP |
|
Date: |
Tue, 6 Jan 2004 12:22:41 +0100 |
|
User-agent: |
Internet Messaging Program (IMP) 3.2.1 |
I am Eric NOULARD and I am contributor to TSP project
hosted by Savannah.
I do confirm that this guy has changed domain name last year
and since we go to the swimming pool together this noon
you may well ask him such a private question:
Did you go to the swimming pool on 6th of january?
Answer should be: Yes.
Did yuo met someone there?
Answer should be: Yes, at least Eric NOULARD.
to verify its identity by phone (if you feel its needed).
Cheers.
Thank you for the effort made for making Savannah
up and running.
And of course Happy New Year.
Erk
Selon TSP <address@hidden>:
> Hello,
>
> I got some difficulties to update my password : My email address changed
> last year from address@hidden to address@hidden And I forgot
> to update my email address, and the ASTRIUM admin deactivate it recently.
>
> How can I got a way to update my password so, because the automatic
> procedure "Lost password" send a mail to my last address ? It's the same
> thing for the user yduf (my developer account).
> Could you change both to the new domain astrium.eads.net ?
>
> Thank you in advance for your help, and sorry to bother you with such simple
> things.
>
> Best Regards
> YD
>
> -------------------------------------------------------------------
> Yves DUFRENNE
> Expert in Software Avionic Facilities
> EA54/Astrium
> 31 Rue des Cosmonautes, 31400 Toulouse, France
> Tel.: +33-5-6219 7150, Fax: +33-5-6219 7741
> -------------------------------------------------------------------
>
> > -----Original Message-----
> > From: Bradley M. Kuhn [mailto:address@hidden
> > Sent: Tuesday, December 23, 2003 7:18 AM
> > To: address@hidden
> > Subject: Status of savannah.{gnu,nongnu}.org
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Monday 22 December
> > 2003, 19:51 EST
> >
> > Dear Savannah Users,
> >
> > As you know, savannah.gnu.org and savannah.nongnu.org have
> > been down for a
> > number of weeks due to a system crack. Thanks to the contributions of
> > many people -- most notably Mathieu Roy, Jim Blair, and Paul
> > Fisher -- the
> > system is working again for existing projects.
> >
> > We have implemented a new security infrastructure that uses chroot'ed
> > environments to isolate each project. We have of course tightened up
> > security, but even if that tightened security is compromised for a
> > particular project, the cracker can most likely only impact that one
> > project. Please read this whole statement in detail before
> > beginning work
> > again.
> >
> > As part of the security changes, there are nine user-visible
> > changes of
> > particular interest. Six of those changes are implemented
> > now (three of
> > which are temporary), and two will be implemented later. They are as
> > follows:
> >
> > (0) All passwords were invalidated. You will need use the "Lost
> > Password" option to regain access. (Click on "Login
> > via SSL" and
> > then the "[Lost Password?]" link.) Expect an email
> > shortly once
> > you've clicked that link. If you do not receive the
> > email within a
> > very short time period to the address you had on file with your
> > account, please write to <address@hidden>.
> >
> > Once you have access again, please check the developer and
> > administrator lists for all your projects, and be sure that you
> > recognize all the email addresses and user accounts attached to
> > your projects. It is up to each user to vigilantly
> > check the other
> > authorized users, just as it was to check the integrity of your
> > source.
> >
> > (1) All authorized SSH keys have been removed from the
> > database. Once
> > your account is reactivated, you must again upload
> > your SSH key.
> > We now only accept SSHv2 keys. Although the web interface will
> > allow you to upload SSHv1 keys, they will not function
> > to give you
> > access. Only SSHv2 keys will provide access and
> > savannah will only
> > accept SSHv2 connections.
> >
> > (2) Anonymous CVS access will continue, but pserver access has been
> > discontinued. We realize that many have become
> > accustomed to this
> > form of anonymous access, but we found many security
> > problems in
> > pserver and we must avoid it. Anonymous access can
> > now occur via
> > SSHv2. To do so, use the following CVSROOT:
> >
> > :ext:address@hidden:/cvsroot/PROJECT
> > or
> > :ext:address@hidden:/cvsroot/PROJECT
> >
> > So, for example, to get an anonymous checkout of the GNU Emacs
> > sources, you would run the following on the bash command line:
> >
> > export CVS_RSH="ssh"
> > cvs -d
> > :ext:address@hidden:/cvsroot/emacs co emacs
> >
> > The first time you do this, you will be prompted by SSH to
> > authenticate the server's key fingerprint. See (3) below for
> > details.
> >
> > Note that since only SSHv2 is accepted, you must be
> > sure that your
> > ~/.ssh/config does indicate use of "Protocol 1" with
> > savannah.gnu.org and savannah.nongnu.org.
> >
> > If you are absolutely unable to use this method for anonymous
> > access, and you rely on anonymous access, please contact
> > <address@hidden>. Since SSH is now ubiquitously
> > available on Free Software systems, we believe that
> > requiring SSH
> > to be installed locally to gain anonymous access from
> > savannah is
> > not burdensome. If it turns out to burden you, please
> > contact us.
> >
> > In fact, this new method authenticates and secures all
> > anonymous
> > access, and anonymous users are now safe from
> > person-in-the-middle
> > attacks when they verify the SSH host keys.
> >
> > (3) The host SSH keys for savannah.gnu.org, savannah.nongnu.org,
> > subversions.gnu.org, etc. have changed. They are as follows:
> >
> > DSA 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5
> > RSA 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5
> >
> > You will prompted for these the first time you use SSH
> > to connect.
> > If you have older keys stored in your known_hosts
> > file, you may get
> > a message that says there is a "nasty problem". If
> > so, remove the
> > offending entry from your ~/.ssh/known_hosts, and
> > reconnect. SSH
> > will prompt you to authenticate anew with one of the
> > keys above.
> >
> > (4) Temporarily, we are unable to approve new projects on
> > savannah. We
> > expect to begin accepting new projects before the end
> > of January
> > 2004. We have to reimplement project creation scripts
> > to adhere to
> > the new chroot structure.
> >
> > (5) Temporarily, the file distribution areas for releases are not
> > functioning. We hope to make them functional again in
> > January 2004
> > and secure them by using a similar system to that now used on
> > ftp.gnu.org.
> >
> > (6) Temporarily, all web CVS trees are not functioning. It is
> > currently not possible to work on the CVS trees for
> > websites using
> > savannah. We hope to fix this in mid-January 2004.
> >
> > (7) In early January 2004, we will record for each project
> > whether or
> > not the developers have checked their integrity using
> > the data in
> > previously-posted announcements. The indicator will
> > be similar to
> > the "is GNU"/"is not GNU" indicator on the main project page.
> >
> > (8) You will later be required to upload a GnuPG key. We
> > are working
> > on changes that will require GPG-signing of all CVS
> > commits. That
> > functionality is not yet available, but when it is, we plan to
> > make it mandatory to ensure the integrity of all
> > software hosted
> > on Savannah.
> >
> >
> > Finally, I want to thank all of your for your patience while
> > we worked to
> > resolve these problems. I know that many of you have been
> > considering for
> > the past few weeks switching to another project development
> > site. I don't
> > blame you for considering that. However, I ask now that you decide to
> > stay. We have learned from this experience how to harden the
> > system to be
> > less susceptible to cracking, and the changes we've made will not only
> > help to prevent future cracks, but will mitigate the damage
> > such a crack
> > can cause. The GPG-signing features that we plan to add in the coming
> > months will (at least at first) be unique among project
> > hosting sites, and
> > ensure the integrity of your software to the greatest degree that is
> > humanly possible.
> >
> > Meanwhile, Loic Dachary has coordinated the acquisition of
> > new, redundant
> > servers in France, and we will work over the coming months to
> > make them
> > (at first) read-only mirrors of the existing savannah (that
> > can be turned
> > immediately live upon the occurrence of the crack). In addition, as
> > Executive Director of FSF, I am committed to implementing
> > protocols and
> > procedures over the next few months designed to limit
> > downtime to a matter
> > of hours in the case of a crack.
> >
> > This crack comes on the heels of cracks against many other
> > Free Software
> > project sites; the crack of savannah is not an isolated
> > incident. We must
> > work together as a community to weather these incidents. For
> > our part,
> > this meant long hours and late nights over the past weeks to
> > harden the
> > system, and more hard work to improve our disaster recovery
> > plans. We ask
> > that you make a contribution by sticking with us now that
> > we've hardened
> > the system and work with us to keep the system secure for
> > Free development
> > and software sharing.
> >
> >
> > Sincerely,
> >
> > Bradley M. Kuhn
> > Executive Director, Free Software Foundation
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> > iD8DBQE/55J853XjJNtBs4cRArnIAJ4gz/8rCx9TEXQ1tSdQDe2r9NZPTQCgpbL8
> > Sfd0jTjsYsUdBCk9106t5wE=
> > =pqRL
> > -----END PGP SIGNATURE-----
> >
> >
--
---
Erk