> > Hi Mathieu: > > : Someone brought to my attention the page <http://www.osvdb.org/7457> > : > : This page is title "Savane .#passwd File Password Disclosure" and was > : published "Dec 11, 2001". > : In the section product appears my name. > : > : The very first release of the software Savane has been made in 2004. And > : I'm was myself implicated in the project Savannah (not a software > : project, but a development platform) only since february 2002 (and my > : name is not a product name). > : > : Since this report is about unreleased Software, mention issues the > : Savane does not even deal about for a second (.#passwd, pserver password > : file? Can anyone point of any part of the code that would specifically > : deal with such file? I doubt it.), please update or remove this flawed > : entry. > > https://gna.org/projects/savane > > http://cvs.gna.org/viewcvs/savane/savane/ > > http://cvs.gna.org/viewcvs/savane/savane/ChangeLog > > http://cvs.gna.org/viewcvs/*checkout*/savane/savane/ChangeLog?rev=HEAD&content-type=text/plain > > Changelog: > 2001-12-11 18:52 loic > * gnuscripts/sf_cvs: remove a_project users, specify LockDir > in > /var/lock/cvs, disable SystemAuth, anoncvs is not a member of > any group, webcvs is only a member of GNU projects, update > /etc/cvs-pserver.conf instead of xinetd.conf, fix security > problem related to pserver password file visible thru .#passwd > file > > We'd love for you to clear up the vendor name if it wasn't yourself. It is > clear from the changelog that this project dates back to before Feb > 2002. The only time we use an author's name is when we don't have a > company or official project name to go by. If you can help me with > that, i'll be more than happy to update our entry and include the > project name. Looking at the footer of that page, it seems "the Gna! > people" would be more appropriate. Should I change it to that?
The fact that files were for a time in a CVS repository does not means this files were ever released as part of a program born 3 years later. This CVS at that time was only a local copy of the Sourceforge software. It has no real bound to what we released as Savane. Savane is a fork of Sourceforge, but at that time there was still no fork. And all this stuff related to #.passwd pserver has never been related to the Savane software, but to a specific installation of Sourceforge named Savannah (hence the directory name). That's specifically to avoid confusion between Savannah (the GNU software development platform) and the software that is used there currently that we named the last one Savane. In associating Savane with a trivial issue that is 100% Savannah related 0% Savane/Sourceforge-code related, you support, and I'm sure that's not deliberate, the confusion we'd like to avoid. As such, there was never any release of the software Savane containing the incriminated content. Just as Savane has never contained any /etc/cvs-pserver.conf etc. That's why I said "this report is about unreleased Software, mention issues the: Savane does not even deal about for a second". So if you want to keep your OSVDB ID: 7457, you should clear the name Savane from the report and just say it was Savannah (the GNU software development platform) specific -- but wouldnt it be pointless to keep a report of one trivial incident that happened there, just like it happens every where on any noticeable server? That's up to you, I let you judge. What matters to me is that people dont get confused about what Savane is. And Savane before it was ever released is everything but Savane. Regards, -- Mathieu _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
