Hi, On Fri, Jul 19, 2019 at 11:59 AM dr. Sybren A. Stüvel <syb...@stuvel.eu> wrote:
> I agree with Dan. FTP is a old, insecure protocol, and we don't need > anonymous uploads at all. Platform maintainers can use their SSH key to > gain access to the file storage. > Agreed! Debian has also deprecated FTP. I was speaking with Brecht as well, and given the go ahead to disable our FTP server indefinitely. While the directory for "ftp" still exists, note that the actual ftp:// protocol access to our download.blender.org server is considered disabled. > I would recommend using a Yubikey for this, stored in a safe at the > Blender Institute. Getting the right key is easy once it's poured into > hardware. > Aye, in fact I was mentioning to Brecht that I use a Yubikey my SSH, signing etc, for years now for access to the rack. They are very nice 2FA devices, in addition to their signing abilities. While I can't speak for Mac or Windows use, I know that Linux can use these very well. They would also be good for 2FA for some of our other services, such as Wordpress, but that is another topic. On a side note, my apologies for not clarifying things more! The specific situation was that, after not having a virus uploaded to our ftp/incoming/ folder in nearly a year (September 2019), one suddenly happened at nearly the exact same time as our releases were starting to be populated. As a bit of a panic'd reflex, I made the call to alert the blender.chat coders channel, and after not getting responses from some core folks, I wrote the email, as a precaution! The specific situation details is that we used to allow FTP uploads to the "incoming" area, which is how people generally put files into the server for us. While we never allowed removing, appending, renaming, or downloading of files via FTP, an attacker could very well have taken advantage of this fact by colliding the filenames used for release. In this particular case, the filename was info.zip, and was detected by the system and moved out of the way, but you can imagine that this process is only so effective. And while FTP never allowed downloads, people (such as eager Blender users!) could always download the files via HTTP/HTTPS, if they merely visited the well known url that we have historically used as a community "drop box" of sorts. You can see my concerns! Anyway, clearly I over reacted a bit, and ruffled some feathers! My apologies! Glad to see the security issue finally getting kick started though! I look forward to a Yubikey discussion! :) Cheers, Dan > > -- > Sybren A. Stüvel > > https://stuvelfoto.nl/ > https://stuvel.eu/ > > _______________________________________________ > Bf-committers mailing list > Bf-committers@blender.org > https://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ Bf-committers mailing list Bf-committers@blender.org https://lists.blender.org/mailman/listinfo/bf-committers