Hi all, Here is the latest status. It seems Savannah is up and running again! Please read the following information carefully. I didn't have time yet to try anything out.
Cheers, Mark
--- Begin Message --------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Monday 22 December 2003, 19:51 EST Dear Savannah Users, As you know, savannah.gnu.org and savannah.nongnu.org have been down for a number of weeks due to a system crack. Thanks to the contributions of many people -- most notably Mathieu Roy, Jim Blair, and Paul Fisher -- the system is working again for existing projects. We have implemented a new security infrastructure that uses chroot'ed environments to isolate each project. We have of course tightened up security, but even if that tightened security is compromised for a particular project, the cracker can most likely only impact that one project. Please read this whole statement in detail before beginning work again. As part of the security changes, there are nine user-visible changes of particular interest. Six of those changes are implemented now (three of which are temporary), and two will be implemented later. They are as follows: (0) All passwords were invalidated. You will need use the "Lost Password" option to regain access. (Click on "Login via SSL" and then the "[Lost Password?]" link.) Expect an email shortly once you've clicked that link. If you do not receive the email within a very short time period to the address you had on file with your account, please write to <[EMAIL PROTECTED]>. Once you have access again, please check the developer and administrator lists for all your projects, and be sure that you recognize all the email addresses and user accounts attached to your projects. It is up to each user to vigilantly check the other authorized users, just as it was to check the integrity of your source. (1) All authorized SSH keys have been removed from the database. Once your account is reactivated, you must again upload your SSH key. We now only accept SSHv2 keys. Although the web interface will allow you to upload SSHv1 keys, they will not function to give you access. Only SSHv2 keys will provide access and savannah will only accept SSHv2 connections. (2) Anonymous CVS access will continue, but pserver access has been discontinued. We realize that many have become accustomed to this form of anonymous access, but we found many security problems in pserver and we must avoid it. Anonymous access can now occur via SSHv2. To do so, use the following CVSROOT: :ext:[EMAIL PROTECTED]:/cvsroot/PROJECT or :ext:[EMAIL PROTECTED]:/cvsroot/PROJECT So, for example, to get an anonymous checkout of the GNU Emacs sources, you would run the following on the bash command line: export CVS_RSH="ssh" cvs -d :ext:[EMAIL PROTECTED]:/cvsroot/emacs co emacs The first time you do this, you will be prompted by SSH to authenticate the server's key fingerprint. See (3) below for details. Note that since only SSHv2 is accepted, you must be sure that your ~/.ssh/config does indicate use of "Protocol 1" with savannah.gnu.org and savannah.nongnu.org. If you are absolutely unable to use this method for anonymous access, and you rely on anonymous access, please contact <[EMAIL PROTECTED]>. Since SSH is now ubiquitously available on Free Software systems, we believe that requiring SSH to be installed locally to gain anonymous access from savannah is not burdensome. If it turns out to burden you, please contact us. In fact, this new method authenticates and secures all anonymous access, and anonymous users are now safe from person-in-the-middle attacks when they verify the SSH host keys. (3) The host SSH keys for savannah.gnu.org, savannah.nongnu.org, subversions.gnu.org, etc. have changed. They are as follows: DSA 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5 RSA 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 You will prompted for these the first time you use SSH to connect. If you have older keys stored in your known_hosts file, you may get a message that says there is a "nasty problem". If so, remove the offending entry from your ~/.ssh/known_hosts, and reconnect. SSH will prompt you to authenticate anew with one of the keys above. (4) Temporarily, we are unable to approve new projects on savannah. We expect to begin accepting new projects before the end of January 2004. We have to reimplement project creation scripts to adhere to the new chroot structure. (5) Temporarily, the file distribution areas for releases are not functioning. We hope to make them functional again in January 2004 and secure them by using a similar system to that now used on ftp.gnu.org. (6) Temporarily, all web CVS trees are not functioning. It is currently not possible to work on the CVS trees for websites using savannah. We hope to fix this in mid-January 2004. (7) In early January 2004, we will record for each project whether or not the developers have checked their integrity using the data in previously-posted announcements. The indicator will be similar to the "is GNU"/"is not GNU" indicator on the main project page. (8) You will later be required to upload a GnuPG key. We are working on changes that will require GPG-signing of all CVS commits. That functionality is not yet available, but when it is, we plan to make it mandatory to ensure the integrity of all software hosted on Savannah. Finally, I want to thank all of your for your patience while we worked to resolve these problems. I know that many of you have been considering for the past few weeks switching to another project development site. I don't blame you for considering that. However, I ask now that you decide to stay. We have learned from this experience how to harden the system to be less susceptible to cracking, and the changes we've made will not only help to prevent future cracks, but will mitigate the damage such a crack can cause. The GPG-signing features that we plan to add in the coming months will (at least at first) be unique among project hosting sites, and ensure the integrity of your software to the greatest degree that is humanly possible. Meanwhile, Loic Dachary has coordinated the acquisition of new, redundant servers in France, and we will work over the coming months to make them (at first) read-only mirrors of the existing savannah (that can be turned immediately live upon the occurrence of the crack). In addition, as Executive Director of FSF, I am committed to implementing protocols and procedures over the next few months designed to limit downtime to a matter of hours in the case of a crack. This crack comes on the heels of cracks against many other Free Software project sites; the crack of savannah is not an isolated incident. We must work together as a community to weather these incidents. For our part, this meant long hours and late nights over the past weeks to harden the system, and more hard work to improve our disaster recovery plans. We ask that you make a contribution by sticking with us now that we've hardened the system and work with us to keep the system secure for Free development and software sharing. Sincerely, Bradley M. Kuhn Executive Director, Free Software Foundation -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/55J853XjJNtBs4cRArnIAJ4gz/8rCx9TEXQ1tSdQDe2r9NZPTQCgpbL8 Sfd0jTjsYsUdBCk9106t5wE= =pqRL -----END PGP SIGNATURE-----
--- End Message ---
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
