[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tiger-user] Information regarding Savannah compromise [Fwd: Tiger secur
From: |
Javier Fernández-Sanguino Peña |
Subject: |
[Tiger-user] Information regarding Savannah compromise [Fwd: Tiger security tool (group #2247) audit report (OK)] |
Date: |
Thu, 8 Jan 2004 11:54:43 +0100 |
User-agent: |
Mutt/1.5.4i |
(First off I'm sending this announcement to all list but future
announcements will only be sent to tiger-announce, please subscribe to that
list too, thanks)
Just for your information, I have just sent this mail to the Savannah
admins. The bottom line is:
- CVS sources have been audited (by both Ryan and me) and are OK.
- Downloadable files have _not_ been audited yet (but when back online at
http://savannah.nongnu.org/download/tiger/ they should include MD5sums and
gpg signatures) Please check them yourself before using them.
As described in the Homepage, however, the sources available from Debian at
http://ftp.debian.org/debian/pool/main/t/tiger/ (and mirrors) are OK. The
Debian mirrors carry MD5sums (but not signatures, since the whole archive
is signed itself).
Regards
Javier Fernandez-Sanguino
----- Forwarded message from Javier Fernández-Sanguino Peña <address@hidden>
-----
From: Javier Fernández-Sanguino Peña <address@hidden>
Date: Thu, 8 Jan 2004 11:45:22 +0100
To: address@hidden
Cc: Ryan Bradetich <address@hidden>
Subject: Tiger security tool (group #2247) audit report (OK)
Hi,
First of all Happy New Year and thank you for all the work being done in
the restoration of Savannah services.
With respect to the Tiger security tool (group #2247) I have recently
manually audited:
- the CVS diffset provided by you for the project sources (post-compromise
CVS and backup copy)
- the HEAD CVS branch against my local copies of the project's source code
(this audit has also been done, at least, by Ryan Bradetich, rbrad, an
active member of the project)
- the web pages CVS
We have _not_ found any suspicious files or differences which might lead us
to believe that the source code has been compromised. All the differences
I've found in the HEAD branch have been introduced by myself (outside the
CVS sources)
We are thus starting to work, once again, with the Savannah CVS sources.
In any case, I would appreciate if a method to backup the whole CVSROOT
tree was posted in the Savannah site (preferably under the CVS pages). It
would be in the benefit of all admins if Savannah posted a full CVSROOT
tar.gz copy that admins could download periodically. This would provide a
way to do future audits in the event of another compromise. Maybe
providing a way to syncronize backup (local) CVS servers could be
appropiate (maybe through CVSsync [1] or Unison?)
Finally, I would very much like to see a detailed documentation on the
changes introduced on the Savannah site (chroot setup) not only to satisfy
my curiosity but also so that other free software hosting projects (Berlios
and Alioth) can improve also their security. Hopefully, you will have also
considered this and are talking with those site admins.
Thanks again for all your hard work, it is really appreciated.
Regards
Javier Fernandez-Sanguino
[1] http://www.cvsync.org/
[2] http://www.cis.upenn.edu/~bcpierce/unison/
----- End forwarded message -----
--
signature.asc
Description: Digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Tiger-user] Information regarding Savannah compromise [Fwd: Tiger security tool (group #2247) audit report (OK)],
Javier Fernández-Sanguino Peña <=