[hatari-devel] Berlios compromised

Eero Tamminen eerot at users.berlios.de
Thu Jan 14 21:04:44 CET 2010


Hi,

On Thursday 14 January 2010, Andrea Musuruane wrote:
>     I'm Hatari Fedora package maintainer. It was reported yesterday on
> our devel mailing list that berlios.de has been compromised since
> 2005:
>
> http://www.h-online.com/open/news/item/BerliOS-open-source-project-portal
>-falls-victim-to-attack-903990.html
>
> Hatari uses BerliOS for both vcs and file releases. We want to be sure
> that your software has not been compromised by an attacker. Have you
> done an an audit of Hatari to verify that no extraneous and dangerous
> code has been introduced?

No.

Hatari's a bit of a fringe progam and not doing anything network related so
it could be less interesting as an attack target.

You could also write a selinux Hatari policy that makes sure that admin gets
notified if Hatari e.g. tries to open network sockets (Hatari remote control
thing uses a local unix socket for communicating with the controlling
program like Hatari UI).


> If not, do you plan to do one? 

We haven't planned that yet.  We look at most of the code now and then so
I think it would be found out if it's the repository head.  I think messing
up with distributed version control repository is a bit harder than with
other things like pre-compiled binaries and tarballs.

(I would be more worried about the last two and having malicious HG server
at BerliOS end.)


Nicolas, one of things that would be easy to do would be comparing
the release source tarballs:
http://developer.berlios.de/project/showfiles.php?group_id=10436

against the same releases on Sourceforge:
	http://sourceforge.net/projects/hatari/files/

And what's in tagged in the BerliOS HG repository and your own HG
repository.


> Have you considered changing moving your host from BerliOS to another,
> more secure, and I should say, caring host?

At least not yet.

The security issue is of course bad, but if the maintenance issues in
keeping the systems up to date & security fixes applied promptly are fixed
(in a convincing way) so that this is unlikely to happen again, I don't see
a problem.


> It seems that BerliOS admin didn't care enough to report this intrusion
> to its users. 

This is also bad.  I hope to see something done about this from BerliOS
side.


Hatari has been at BerliosOS only about a year (move happened dec 2008)
and moved there because we were dissatisfied with Sourceforge:
- slow
- riddled with advertisements
- no distributed versoin control (Mercurial) support

At least at that time there were no good other candinates for hosting that
would have provided Mercurial (even support for Git was patchy).  Are there
now?


	- Eero



More information about the hatari-devel mailing list