[Esug-list] Repository (In)Security

Damien Cassou damien.cassou at inria.fr
Wed Aug 26 03:28:42 EDT 2015


Hi Sean,

Sean P. DeNigris <sean at clipperadams.com> writes:

> We were sitting here looking at some unencrypted network traffic and it hit
> me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a
> tremendous security hole. Someone could grab the credentials of a more
> prominent member of the community who has admin rights to many repos and
> start uploading arbitrary Zip files with who-knows-what embedded.
>
> SSL certificates are so cheap today. Will ESUG purchase them for our
> community servers?
>
> I personally have deleted all my private repos, and moved them to BitBucket,
> which I can access via SSH, but it doesn't solve the problem because of
> course any open source St project I load will open the flood gates!

thank you for raising the issue.

The ESUG board can pay such a certificate. Nonetheless, the problem is
not paying but installing the certificate and maintaining the server. We
already have too little time to dedicate to server maintenance.

We are looking for volunteers.

-- 
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill




More information about the Esug-list mailing list