[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: [Savane-dev] [IMPORTANT] GNU Savannah migration f
Lorenzo Hernandez Garcia-Hierro
[Savannah-hackers] Re: [Savane-dev] [IMPORTANT] GNU Savannah migration from Savannah (the Software) to GForge - Why?!
Sun, 11 Apr 2004 14:09:13 +0200
> I'd like people to understand that we are not still considering the
> question. It is a final decision to switch to Gforge.
Final decision ? Why not considering of giving some time to check if GForge
is really the thing that can replace Savane ? and, what specific reasons can
you give to us ?
is it more secure ? is it more efficient ? is it providing things that
Savane doesn't have ?
in this case , why not consider to propose them in savane-dev list at !Gna ?
> I will give a brief explanation. We cannot continue using the
> Savannah software because we have no one to maintain it properly.
> GForge is maintained seriously. Therefore we will switch to GForge.
AFAIK Mathiu Roy is currently a really good maintainer of the project , and
, what about the
other developers ? 9 people is "no one" ?
There is a thing i don't understand , i've seen in some lists that a
possible reason is that " Savane is not secure enough"
but this is not true , Savane is like other software , it has bugs/holes
that are discovered by accident or by a source audit.
The first only happens when the system is compromised , the second occurs
when developers think that it is not secure at all.
I've contacted the people of the project due to a source audit i made in
Savane , the response was perfect and the things went
quickly , now Savane is a really good software except one thing: it uses old
unsecure features of PHP , this problem will be solved
when the NRG branch ( that solves this problem ) gets merged with the trunk.
In the case of security , i want to talk about GForge ( i've get the source
and i am looking at it ):
As example of the same problem ( register_globals use ) , GForge shares the
same with Saven,
just look at /www/sendmessage.php line 16.
Variables are not set by method , are registered as globals.
I found some funny "holes" in the code , that are affected by the above
Look at source.php , line 16-17:
bad use of $sys_show_source implies that ANYBODY can see the source of
anyfile and bypass the protection by setting boolean value of that variable,
denied , so , use
http://gforge.org/source.php?sys_show_source=true&file=source.php , now you
can see sources with "permission".
i will check later the rest of the code.
false sense of security is more dangerous that a real security problem.
> I don't have time to discuss this further. I am in the hospital and
> falling behind on my other work.
Ok , i wanted to tell my opinion , sinceriously,