On Tue, 10 Apr 2001, Bill Stoddard wrote:
>
>
> > On Tue, 10 Apr 2001, Marc Slemko wrote:
> >
> > > On Mon, 9 Apr 2001 [EMAIL PROTECTED] wrote:
> > >
> > > >
> > > > Why don't we just use the bugzilla that is on that Sun machine? isn't
> it
> > > > called nagoya.apache.org, or something like that?
> > >
> > > 1. we tried bugzilla before for 2.x bug reports. result: it was used as
> > > one step in a root compromise. Sure, having it on its own box helps
> > > things out. But doesn't remove the concern.
> > > 2. bugzilla doesn't, out of the box, provide some of the functionality
> > > that we have now that I consider to be quite important.
> > > 3. even if those weren't issues, it has to be configured and setup in a
> > > way that lets it meet our needs and people have to know how it should be
> > > used.
> > >
> > > While I am unhappily resigned to the fact that bugzilla may, in fact, form
> > > the core of what the best solution is for us, I don't know that it is just
> > > a drop-it-in-and-run thing.
> >
> > Nagoya was setup specifically to be a bugzilla machine for the ASF. It is
> > run by Pier and somebody else, who I can't remember. The root compromise
> > is not a big issue, because that machine doesn't really run anything other
> > than bugzilla.
>
> Errr... no. Root compromise of any machine on the internet is a BIG DEAL. The
> data on the machine is only a minor part of the issue.
I said it unclearly. Bugzilla was compromised on apache.org, because of
how the machine was setup. It was setup that way, because of how many
different things it was doing. This machine is running bugzilla, and that
is it. The vulnerability isn't as large, because we are keeping tighter
control of what is on that box.
Plus, that machine has been up and running for a while without a problem.
That doesn't mean it is safe, but it is a good omen.
Ryan
_______________________________________________________________________________
Ryan Bloom [EMAIL PROTECTED]
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------
