Alex Hudson
2010-11-30 16:51:51 UTC
Hi everyone,
Those who've been watching the Gna! front page will have seen that it's
offline while they investigate a security breach. This follows an attack
on Savannah, which I assume happened at basically the same time (they
run similar software).
I've put up a post about how this affects our project:
http://www.alexhudson.com/2010/11/30/potential-gna-issues/
The short story is keep calm and carry on; at the moment we have little
reason to believe any of our project infrastructure is untrustworthy,
and since we have signed code drops I'm confident that the download area
is entirely untouched.
There may be an issue for project members: the attack on Savannah
included some dictionary-based password attacks, so I would say that
unless you have a really good password it's quite possible that it has
been compromised. Obviously, if you use that password elsewhere
(naughty!) then you might want to think about changing it.
Most authentication with Gna! happens over SSH, though, with the public
SSH keys that members upload: and that system is of course safe, there
is no need to think about replacing keys.
So in short, don't worry: I don't think our project is affected, and if
it was we would have detected it already. I will of course be checking
things again once Gna! get back on their feet to confirm all of this.
Thanks
Alex.
--
This message was scanned by Better Hosted and is believed to be clean.
http://www.betterhosted.com
Those who've been watching the Gna! front page will have seen that it's
offline while they investigate a security breach. This follows an attack
on Savannah, which I assume happened at basically the same time (they
run similar software).
I've put up a post about how this affects our project:
http://www.alexhudson.com/2010/11/30/potential-gna-issues/
The short story is keep calm and carry on; at the moment we have little
reason to believe any of our project infrastructure is untrustworthy,
and since we have signed code drops I'm confident that the download area
is entirely untouched.
There may be an issue for project members: the attack on Savannah
included some dictionary-based password attacks, so I would say that
unless you have a really good password it's quite possible that it has
been compromised. Obviously, if you use that password elsewhere
(naughty!) then you might want to think about changing it.
Most authentication with Gna! happens over SSH, though, with the public
SSH keys that members upload: and that system is of course safe, there
is no need to think about replacing keys.
So in short, don't worry: I don't think our project is affected, and if
it was we would have detected it already. I will of course be checking
things again once Gna! get back on their feet to confirm all of this.
Thanks
Alex.
--
This message was scanned by Better Hosted and is believed to be clean.
http://www.betterhosted.com