[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers-public] Re: [gnu.org #254064] ftp.gnu.org/savannah/fil
[Savannah-hackers-public] Re: [gnu.org #254064] ftp.gnu.org/savannah/files/
Tue, 18 Oct 2005 20:00:26 +0200
I guess that a README saying that
The files that previously resided in this directory were untrusted
uploads backed-up after the Savannah compromise back in 2003, and were
provided for their maintainers to review them.
We now believe those reviews were performed, and we are concerned
about publicly providing untrusted files. Thus, we removed them.
If however you are a maintainer of those files and which to retrieve
them, please get in touch with the Savannah Hackers at
should be enough :)
Note that the archives _should not be deleted_ but moved somewhere on
Savannah so you and I can provide files to maintainers on demand. The
main goal is to prevent the files from being widely mirrored and/or
referenced as an official download area.
On Tue, Oct 18, 2005 at 12:39:42PM -0400, Joshua Ginsberg via RT wrote:
> Sylvain --
> I don't... do you... I mean....... what?
> So do you want all of those archives deleted at this point and replaced
> with a README? If so, according to Jim's email, that README should include:
> a) about the compromise
> b) what resources are available to developers that would like to
> audit their code
> c) whom to contact by email to get those resources
> d) whom to contact by email to report results of an audit
> I can do bullet a. I don't have any information about b through d.
> I'm also going to contact Jim to find out why this was never done. It
> seems that it should have but wasn't.
> > [beuc - Fri Oct 07 14:43:01 2005]:
> > Hello,
> > I remember Jim contacted sv-hackers regarding
> > ftp://ftp.gnu.org/savannah/files/
> > These are the files from before the Savannah 2003 compromise. There
> > are a way for maintainers to grab their files and check them before to
> > (maybe) re-upload them.
> > However, thoses files were apparently mirrored.
> > Please check the following 2 messages:
> > http://lists.gnu.org/archive/html/savannah-hackers/2004-08/msg00835.html
> > http://lists.gnu.org/archive/html/savannah-hackers/2004-08/msg00905.html
> > Could you check the status of this task? Unfortunately the people
> > involved were Jim and Bradley, and there's not here anymore - do you
> > know what we should do here?