[Esug-list] Repository (In)Security
damien.cassou at inria.fr
Wed Aug 26 03:28:42 EDT 2015
Sean P. DeNigris <sean at clipperadams.com> writes:
> We were sitting here looking at some unencrypted network traffic and it hit
> me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a
> tremendous security hole. Someone could grab the credentials of a more
> prominent member of the community who has admin rights to many repos and
> start uploading arbitrary Zip files with who-knows-what embedded.
> SSL certificates are so cheap today. Will ESUG purchase them for our
> community servers?
> I personally have deleted all my private repos, and moved them to BitBucket,
> which I can access via SSH, but it doesn't solve the problem because of
> course any open source St project I load will open the flood gates!
thank you for raising the issue.
The ESUG board can pay such a certificate. Nonetheless, the problem is
not paying but installing the certificate and maintaining the server. We
already have too little time to dedicate to server maintenance.
We are looking for volunteers.
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
More information about the Esug-list