[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: Plan for today
|
From: |
Mathieu Roy |
|
Subject: |
[Savannah-hackers] Re: Plan for today |
|
Date: |
Thu, 18 Dec 2003 18:05:28 +0100 |
|
User-agent: |
Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) |
Vincent Caron <address@hidden> said:
> Mathieu Roy wrote:
>> 1) I trust the latest CVS. I worked during the whole month of the
>> compromise intensively with the CVS and I do not believe possible to
>> miss an unnoticed harsh change in the CVS:
>> - I always check the diff for commits not made by myself
>> - A file that I did not change myself would produce at least and
>> "U" during a CVS update.
>
> In theory, a malicious hacker could change the RCS file in place
> without you noticing on cvs updates. Although that's very tricky and
> there are plenty of other places with easier and more insteresting
> backdoors to install.
How so? Each time I make a cvs update, the RCS file on the server is
compared with my file. And if I do not have the exact same file, I'll
get a U, or even a C if edited the file.
>> (I insist on the fact that this kind of change must not be commited
>> on the Savannah CVS itself)
>
> I suggest we set up a new CVS repository with an import from the
> TDEV_2003-09-05_CERN branch for the sake of subversions (we need the
> audit confirmation first for that, tapping code from nov 1st would
> deprive us of a lot of bugfixes). We can resync later and
> progressively with the official Savannah tree. Makes sense to you
> Mathieu ?
Using the code from the 1st is anyway no longer possible. We moved to
the development branch, that include a database update. You cannot
revert that process without spending one month on it.
Apart from that I do not clearly understand your proposal. No change
that have been made to the server should impact the frontend part (how
so?)
For the backend, I guess that the change you'll have to made will not
be polished and portable enough to be commited in the savannah CVS in
a near future. So you can create a CVS for hacked backend, unlinked to
the savannah project itself, if you feel it necessary.
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
+---------------------------------------------------------------------+
- [Savannah-hackers] Plan for today, Bradley M. Kuhn, 2003/12/18
- [Savannah-hackers] Re: Plan for today, Bradley M. Kuhn, 2003/12/18
- [Savannah-hackers] Re: Plan for today, Mathieu Roy, 2003/12/18
- [Savannah-hackers] Plan for tomorrow, Bradley M. Kuhn, 2003/12/18
- Re: [Savannah-hackers] Plan for tomorrow, Rudy Gevaert, 2003/12/18
- [Savannah-hackers] Re: Plan for tomorrow, Mathieu Roy, 2003/12/18
- [Savannah-hackers] Re: Plan for tomorrow, Bradley M. Kuhn, 2003/12/18
[Savannah-hackers] Re: Plan for today, Bradley M. Kuhn, 2003/12/18