RE: [Zope-dev] cvs.zope.org down

[Brian Lloyd]

> >>> Toby Dickenson wrote
> > That makes me nervous. How will you know that the sources in 
> cvs havent been 
> > compromised? 
> 
> Surely people can compare checkouts of the various branches (2.6, 
> 2.7) against
> downloaded tarballs? We can't do the same with TRUNK, but that 
> should be still
> possible to check against, say, a 2.7 beta.

I have checkouts of just about every branch ever + the head in 
a couple of places - based on those, nothing untoward appears 
to have happened to the source tree.

Everyone with a product or other code in that cvs should do a 
check to make sure, but given that we caught the intrusion 
almost immediately and that the attacker's methods were rather 
unsophisticated, I think the risk is pretty low.


Brian Lloyd[EMAIL PROTECTED]
V.P. Engineering   540.361.1716  
Zope Corporation   http://www.zope.com 



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] cvs.zope.org down

[Anthony Baxter]

>>> Toby Dickenson wrote
> That makes me nervous. How will you know that the sources in cvs havent been 
> compromised? 

Surely people can compare checkouts of the various branches (2.6, 2.7) against
downloaded tarballs? We can't do the same with TRUNK, but that should be still
possible to check against, say, a 2.7 beta.

Anthony
-- 
Anthony Baxter <[EMAIL PROTECTED]>   
It's never too late to have a happy childhood.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] cvs.zope.org down

[Toby Dickenson]

On Tuesday 21 October 2003 18:08, Jens Vagelpohl wrote:
> Just a quick heads-up:

> Then we will start restoring the data
> from the old drives.

That makes me nervous. How will you know that the sources in cvs havent been 
compromised? 

-- 
Toby Dickenson


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] cvs.zope.org down

[Jamie Heilman]

Jens Vagelpohl wrote:
> This morning we noticed some odd activity on cvs.zope.org that
> looked like someone had broken into the machine.
...
> The collector.zope.org web site, which was served from the same
> machine, will probably end up being integrated into www.zope.org
> tomorrow and cease to exist as a separate Zope instance.

I'd like to make a request.  If evidence reveals that
{cvs,collector}.zope.org *was* compromised, then would ZC kindly
consider making all 'security' bugs in the collector public?
The reasoning being that there is little point behind hiding potential
security problems from the zope community if the blackhat community
has already obtained the details.  That said, any status on getting
the collector back up?

-- 
Jamie Heilman http://audible.transient.net/~jamie/

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )