On Wed, 3 Dec 2003, Logan Ingalls wrote:

Not that we're as large of a target for hackers, but one of Gentoo's central rsync servers was hacked yesterday:

http://lwn.net/Articles/61229/

I figured this might make a good time to ask: "How secure are cvsup.fukt.bth.se and crux.fh-regensburg.de?"

I hope it is a bit more secure than the other machines from gentoo or debian. I don't want to tell more details on a public mailing list. Only so much: it is a very minimalistic install and it is firewalled by a professional product (one of the best IMO). The good point is, that we only have shell scripts and text-files in our cvs-repository. If the Pkgfiles would be hacked, we should be able to detect the changes in cvs. Debian and GNU have large amounts of source code or even binary packages, what is a immense amount of work to check IMHO. Regards Martin -- martin opel / fachbereich informatik - fachhochschule regensburg / email: martin.opel@informatik.fh-regensburg.de / web: http://rfhs8012.fh-regensburg.de/~opel/

On Wed, 2003-12-03 at 21:57, Logan Ingalls wrote:

Not that we're as large of a target for hackers, but one of Gentoo's central rsync servers was hacked yesterday:

http://lwn.net/Articles/61229/

I figured this might make a good time to ask: "How secure are cvsup.fukt.bth.se and crux.fh-regensburg.de?"

Logan

Maybe I'm the only one that missed this one, anyway it seems that also savannah.gnu.org has been compromised: http://savannah.gnu.org/statement.html Sad news. Back on topic, I said before that I'm not a security expert; if my machine get compromised, an attacker could gain access to crux.f-regensburg.de, or at least to the port tree. I think the same goes for other maintainers too. Quite scary, uh? Maybe we can find a solution to check for maliciuos cvs commits et similia. As Martin says in this thread, the only thing to "defend" is the cvs tree; any idea? Simone