[Teammetrics-discuss] Updating data?
Andreas Tille
andreas at an3as.eu
Fri Dec 6 16:14:21 UTC 2013
Hi Sukhbir,
On Thu, Dec 05, 2013 at 10:48:34PM -0500, Sukhbir Singh wrote:
>
> So everything (our automated script) seems to work, except that I
> think that after the Alioth outage, I managed to delete the public key
> entry of our password-less key on Alioth. I think we should generate a
> new one anyways.
OK.
> Before I do that, I was thinking, after our last conversation with
> Charles, we have been using that key for quite a while now. Do you
> think perhaps we should tell the Alioth admins that we are doing this?
> If yes, then I think you should ask them if it is OK to do this since
> we basically have a passwordless key lying on a VPS that can mess up
> at least the repositories. I thought about it and as I was about to
> add a new key, I thought I should discuss this with you.
>
> From the last conversation we had with Charles:
>
> https://lists.alioth.debian.org/pipermail/teammetrics-discuss/2012-April/000841.html:
>
> > In my understanding, an attacker who would steal the private key would be able
> > to push stuf to the SVN repositories on Alioth (or exploit a security flaw of
> > /usr/bin/svnserve), but is not able to do anything else.
>
> Well, OK I guess?
I think it is fair to discuss this with alioth admins - may be it makes
sense to use IRC for this. Alioth admins seem to prefer this.
May be we come back to my initial proposal that we create a dedicated
user on alioth who has out job as login shell and thus can only use this
shell (and nothing else). This should increase the hurdle to do
something bad.
Kind regards
Andreas.
--
http://fam-tille.de
More information about the Teammetrics-discuss
mailing list