User login

Navigation

Contribute

Interested in contributing to FootNotes? Click here to submit news stories to us or visit this site for more information about available opportunities.

GNOME Support

Friends of GNOME

Now's a good time to say thanks for the best desktop environment on the planet by becoming a Friend of GNOME or by upping your current Friends level. Contribute by joining the Friends of GNOME program. All contributions are tax-deductible in the U.S. Thanks to our generous Friends

Links of Interest

Syndicate

Intrusion on GNOME Web Server

Submitted by stro on Wed, 2004-03-24 09:18. GNOME

We've discovered evidence of an intrusion on the server
hosting www.gnome.org and other gnome.org websites.
After some research, we've found it unlikely that any GNOME
sources on our FTP site or source code repository have been
affected.

A number of services have been restored on a replacement
machine. Updates will be posted to the gnome-announce-list,
and found in our archives.
A quick status update on the situation:

* No additional damage has been discovered; at the current
time we are cautiously hopeful that the compromise was
limited in scope.

* ftp.gnome.org is back on now that we have additional
confidence in the integrity of the tarballs.

* We've now restored a number of services running on a
replacement machine

- Websites including www.gnome.org, and developer.gnome.org
are back up in limited service; dynamic content is still
off so some parts may be inaccessible.

- planet.gnome.org is again providing all your favorite
blogs and gossip.

- Bugzilla is in testing mode; we hope to restore general
access in the next day.

Thanks for your patience; we'll continue to provide updates
as we move back to fully operational status.

Re: Intrusion on GNOME Web Server

Submitted by ClubNeon on Wed, 2004-03-24 15:03.

The other question is: Where would the development be done? Open Source projects must have Internet facing servers that can be written to, else no work could be done. Since GNOME is in CVS, I'd guess that most of the tar balls on the web/ftp servers are generated on another machine and then uploaded to the distribution site, like the parent suggested anyway.

The tar balls do have MD5 sums with them in the same directory. It would be nice if there were PGP signatures for each release made with a public key that could be varified on a third party server. This would go a lot farther to assure that the file on the FTP site is the file the author did actually release.

» parent