[hatari-devel] Berlios compromised

npomarede at corp.free.fr npomarede at corp.free.fr
Thu Jan 14 22:14:02 CET 2010


On Thu, 14 Jan 2010, Eero Tamminen wrote:

> Hi,
>
> On Thursday 14 January 2010, Andrea Musuruane wrote:
>>     I'm Hatari Fedora package maintainer. It was reported yesterday on
>> our devel mailing list that berlios.de has been compromised since
>> 2005:
>>
>> http://www.h-online.com/open/news/item/BerliOS-open-source-project-portal
>> -falls-victim-to-attack-903990.html
>>
>> Hatari uses BerliOS for both vcs and file releases. We want to be sure
>> that your software has not been compromised by an attacker. Have you
>> done an an audit of Hatari to verify that no extraneous and dangerous
>> code has been introduced?
>
> No.
>
> Hatari's a bit of a fringe progam and not doing anything network related so
> it could be less interesting as an attack target.
>
> You could also write a selinux Hatari policy that makes sure that admin gets
> notified if Hatari e.g. tries to open network sockets (Hatari remote control
> thing uses a local unix socket for communicating with the controlling
> program like Hatari UI).
>
>
>> If not, do you plan to do one?
>
> We haven't planned that yet.  We look at most of the code now and then so
> I think it would be found out if it's the repository head.  I think messing
> up with distributed version control repository is a bit harder than with
> other things like pre-compiled binaries and tarballs.
>
> (I would be more worried about the last two and having malicious HG server
> at BerliOS end.)
>
>
> Nicolas, one of things that would be easy to do would be comparing
> the release source tarballs:
> http://developer.berlios.de/project/showfiles.php?group_id=10436
>
> against the same releases on Sourceforge:
> 	http://sourceforge.net/projects/hatari/files/
>
> And what's in tagged in the BerliOS HG repository and your own HG
> repository.

On the general point, I agree with Eero, I don't think Hatari would be an 
interesting target for hackers, due to its lack of network connectivity 
and its rather restricted users base (although they're very dedicated to 
the atari !).

Regarding the 1.3.1 sources available on berlios, I compared them with my 
current sources tree and didn't see anything that was not stricly hatari 
related.
Same for the hg tree stored on berlios, importing it doesn't show any 
difference to my own tree.

So, I would say Hatari was not a target of this attacker, was not modified 
by non-official commiter and can be safely packaged in any distro.

>
> Hatari has been at BerliosOS only about a year (move happened dec 2008)
> and moved there because we were dissatisfied with Sourceforge:
> - slow
> - riddled with advertisements
> - no distributed versoin control (Mercurial) support
>
> At least at that time there were no good other candinates for hosting that
> would have provided Mercurial (even support for Git was patchy).  Are there
> now?
>

Apart when server went down during a week end some months ago and this 
recent attack, I don't have the feeling berlios is a bad hosting solution. 
At least for the size of our project and its relatively small activity, I 
think it's just fine.


Nicolas



More information about the hatari-devel mailing list