[kaffe] [OffTopic] Savannah has been compromised
robilad at kaffe.org
Wed Dec 3 14:35:02 PST 2003
since I haven't received any news on this yet, and many people here
probably contribute to one project on Savannah or another, I just wanted
to spread the news that savannah.gnu,org has been compromised. cracked.
broken in. just like debian last week.
I'm as angry as you are at the perpetrators.
http://savannah.gnu.org/statement.html currently reads:
On December 1st, 2003, we discovered that the "Savannah" system, which
is maintained by the Free Software Foundation and provides CVS and
development services to the GNU project and other Free Software
projects, was compromised at circa November 2nd, 2003.
The compromise seems to be of the same nature as the recent attacks on
Debian project servers; the attacker seemed to operate identically.
However, this incident was distinctly different from the modus operandi
we found in the attacks on our FTP server in August 2003. We have also
confirmed that an unauthorized party gained root access and installed a
root-kit ("SucKIT") on November 2nd, 2003.
In the interest of continuing cooperation and in helping to improve
security for all essential Free Software infrastructure, and despite
important philosophical differences, we are working closely with Debian
project members to find the perpetrators and to secure essential Free
Software infrastructure for the future. We hope to have future joint
announcements that discuss a unified strategy for addressing these problems.
For the moment, we are installing replacement hardware for the Savannah
system, and we will begin restoring the Savannah software this week.
Initially, there will be some security related changes which may be
inconvenient for our developers. We will try to ease these as we find
secure ways to do so. We are in particular researching ways to ensure
secured authentication of the source code trees stored on the system.
We will send more detailed announcements about efforts to verify the
authenticity of the source code hosted on Savannah, and how the
community can help in that effort once we've brought the system back online.
We hope to have at least minimal services back up by Friday 5 December
More information about the kaffe