[hatari-devel] Berlios compromised

Thomas H. th.huth at gmx.de
Sat Jan 16 12:34:26 CET 2010


> Datum: Thu, 14 Jan 2010 22:14:02 +0100 (CET)
> Von: npomarede at corp.free.fr
> 
> On the general point, I agree with Eero, I don't think Hatari would be an 
> interesting target for hackers, due to its lack of network connectivity 
> and its rather restricted users base (although they're very dedicated to 
> the atari !).
> 
> Regarding the 1.3.1 sources available on berlios, I compared them with my 
> current sources tree and didn't see anything that was not stricly hatari 
> related.
> Same for the hg tree stored on berlios, importing it doesn't show any 
> difference to my own tree.
> 
> So, I would say Hatari was not a target of this attacker, was not modified
> by non-official commiter and can be safely packaged in any distro.

I second that. I also think that the Hatari hg repository has not been modified. Fortunately we use Mercurial as versioning system, so each commit is secured with a SHA-1 hash checksum. That means it is hardly possible to modify the repository on the server directly without being noticed (you would see a clash with your local repository during the next checkout).

I think the only possible way to attack the repository would be that the hacker got hold of a password of one of us developers and then checked in malicious code just like normal updates from us. But this is also very unlikely since I (and I guess also some of the other developers) normally tend to quickly read through all new changesets that I download from the server repository, and I never saw anything unusual there.

> > Hatari has been at BerliosOS only about a year (move happened dec 2008)
> > and moved there because we were dissatisfied with Sourceforge:
> > - slow
> > - riddled with advertisements
> > - no distributed versoin control (Mercurial) support
> >
> > At least at that time there were no good other candinates for hosting
> that
> > would have provided Mercurial (even support for Git was patchy).  Are
> there
> > now?
> >
> 
> Apart when server went down during a week end some months ago and this 
> recent attack, I don't have the feeling berlios is a bad hosting solution.
> At least for the size of our project and its relatively small activity, I 
> think it's just fine.

BerliOS is certainly not perfect - for example I am still waiting that the HG notify bug gets fixed (see https://developer.berlios.de/bugs/?func=detailbug&group_id=1&bug_id=16003). And their information policy concerning such security problems could really be faster and better. But at least they've posted a news item now:

https://developer.berlios.de/forum/forum.php?forum_id=34372

But apart from that, I also think it's still the best hosting solution for our project. Considering that we want to keep Mercurial as versioning system (which I personally would not want to miss anymore), there are not many alternatives, and most of them have other disadvantages.

SourceForge now seems to offer Mercurial, too, and the website layout got much better again, with less advertisment than a year before. So moving back there might be an alternative. But do you think that their information policy regarding security problems is better than BerliOS? I don't think so.

savannah.nongnu.org might be another alternative, but they are very picky (e.g. you have to write "GNU/Linux" instead of "Linux" everywhere in your project) and we would e.g. loose the possibility to use a non-free library like Pasti when it finally comes out for Linux... (Savannah forbits such GPL-linking exceptions that are normally possible).

All other development sites that offer Mercurial seem either to be non-free or restricted to other superior projects (like Debian Alioth).

So unless someone has a real good alternative idea, I'd also suggest to stay with BerliOS.

 Thomas

-- 
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser



More information about the hatari-devel mailing list