Maybe you should add in your report that gforge is running on tens of publicly available sites on the internet, gforge was security audited several times, that alioth.debian.org was not compromized, when Debian was attacked, and that you didn't provide any exploit.
Personnally I find that savane and gforge should merge, savannah to gforge migration will just prove it's possible. Cheers Christian Le lun 12/04/2004 à 12:32, Lorenzo Hernandez Garcia-Hierro a écrit : > Hi, > I've to tell you about this: > http://www.tuxedo-es.org/seguridad/GForge-1.xhtml > Its a security audit almost finished of the latest GForge source. > I am avalaible for help you about how to fix that issues. > Please , after you've fixed GForge and released the patchs , i want to have > permission > for publish this in some security lists ( FD, bugtraq, wep app sec ) just to > tell people > and advice that they need to patch, is it o.k. ? > Thanks in advance, > Cheers > PS: I am resending this message to some people of GNU , AFAIK there was an > idea of migrating > from Savannah/Savane to GForge because "Sava was not secure enough" , and i > looked at your code > just for know how secure is GForge and it presents AFAIK the same types of > security problems of Savane. > -------------------------------------- > Lorenzo Hernandez Garcia-Hierro > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > G d>-- s>:() a---- C++++(++++)>++++ UL>++++ P++(++)>++ L++(++)>+++ E()>- > W+++(+++)>+++ N+(+)>+ o+(+)>+ > K-(-)>- w++(++)>+++ !O !M !V PS+(+)>+ PE+(+)>+ Y()> PGP++(++)>++ t++(++)>++ > !5 > X++++(++++)>++++ R++(++)>++ tv+(+)>+ b++++(++++)>++++ DI+(+)>+ > D+(+)>+ G+(+)>+ e()> h++(++)>++ r++(++)>++ y-(-)>- > ------END GEEK CODE BLOCK------ > PGP: Keyfingerprint: > 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B > ID: 0x91805F5B > http://www.tuxedo-es.org > ______________________________________ > > > >
