[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Re: Plan for today

From: Mathieu Roy
Subject: [Savannah-hackers] Re: Plan for today
Date: Thu, 18 Dec 2003 18:05:28 +0100
User-agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux)

Vincent Caron <address@hidden> said:

> Mathieu Roy wrote:
>> 1) I trust the latest CVS. I worked during the whole month of the
>> compromise intensively with the CVS and I do not believe possible to
>> miss an unnoticed harsh change in the CVS:
>>      - I always check the diff for commits not made by myself
>>      - A file that I did not change myself would produce at least and
>>      "U" during a CVS update.
>    In theory, a malicious hacker could change the RCS file in place
> without you noticing on cvs updates. Although that's very tricky and
> there are plenty of other places with easier and more insteresting
> backdoors to install.

How so? Each time I make a cvs update, the RCS file on the server is
compared with my file. And if I do not have the exact same file, I'll
get a U, or even a C if edited the file. 

>> (I insist on the fact that this kind of change must not be commited
>> on the Savannah CVS itself)
>    I suggest we set up a new CVS repository with an import from the
> TDEV_2003-09-05_CERN branch for the sake of subversions (we need the
> audit confirmation first for that, tapping code from nov 1st would
> deprive us of a lot of bugfixes). We can resync later and
> progressively with the official Savannah tree. Makes sense to you
> Mathieu ?

Using the code from the 1st is anyway no longer possible. We moved to
the development branch, that include a database update. You cannot
revert that process without spending one month on it.

Apart from that I do not clearly understand your proposal. No change
that have been made to the server should impact the frontend part (how

For the backend, I guess that the change you'll have to made will not
be polished and portable enough to be commited in the savannah CVS in
a near future. So you can create a CVS for hacked backend, unlinked to
the savannah project itself, if you feel it necessary.

Mathieu Roy

  | General Homepage:              |
  | Computing Homepage:           |
  | Not a native english speaker:                                       |
  |  |

reply via email to

[Prev in Thread] Current Thread [Next in Thread]