Re: New website layout / design contest?
On Tue, Sep 05, 2006 at 07:23:05AM +0200, Christian Perrier wrote: Our priorities are our users and free software. But people who aren't running Debian aren't (by definition) our users, so trying to attract them with shiny slow graphics and distracting color changes and annoying animations and excessive clutter and other hallmarks of modern websites is not our priority. Maybe you want we should use Flash everywhere too? And saying that our priorities are our users doesn't mean that we should try to dazzle our users with glitzy graphics and cool interfaces when they want help and information. It means we should provide them help and information when they want help and information. Anyway, I'm not opposed to the idea of a website redesign. But when people say, how can we make it look better rather than how can we make it work better, that worries me. -- Chris Waters | Pneumonoultra-osis is too long [EMAIL PROTECTED] | microscopicsilico-to fit into a single or [EMAIL PROTECTED] | volcaniconi- standalone haiku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
Re: Raphael Hertzog 2006-09-06 [EMAIL PROTECTED] Alioth's web server was unavailable for most of the 5th of september. It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy. [...] On a related matter, we're preparing the move of Alioth to a new (and bigger) machine (called wagner.debian.org), and we'll make use of that opportunity to further strengthen the security measures as well as add more security checks. In that light, wouldn't it make sense to keep svn.debian.org separate from the highly exposed http://*.alioth.debian.org services? Christoph -- [EMAIL PROTECTED] | http://www.df7cb.de/ signature.asc Description: Digital signature
Re: Security incident on Alioth and other Alioth news
On Wed, Sep 06, 2006 at 12:25:54PM +0200, Raphael Hertzog wrote: Alioth's web server was unavailable for most of the 5th of september. It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy. Is it possible to rule out privilege escalation? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New website layout / design contest?
Christoph Haas wrote: On Tuesday 05 September 2006 04:16, Matej Cepl wrote: Paul Belanger wrote: After all, the point of any distribution is to sell it to a user. It is not. For example, Debian Developers usually don't care how many users is Debian sold to. And that is a good thing. If you think of the monetary aspect: okay. But if you think of selling something to someone in the meaning of promotion then I'll definitely second that debian.org's web site is not very appealing. It does its job and is functional - but it is not very nifty. And by the way I *do* care how many users use my packages or Debian altogether. It's nicer to maintain something that 1000 people use than something that is just rotting in the archives. I remotely remember that the last time this topic came up the thread was closed with a this is not a high priority - we are dedicated to deliver the best operating system, not the best web site statement. No doubt about that. But people like something nice for their eyes, too. When I started playing around with Debian I was surprised about debian.org. So many people used Debian privately and professionally but the web site just didn't reflect that. Many people judge a product (or in our case: an operating system) by the first look. And as Debian is technically well done I believe it deserves a good public appearance, too. I'm not a member of the web team but I could imagine contributing to it even though I'm not the greatest web programmer of all times. Perhaps a contest may be nice. (But if the result looks as ugly as Ubuntu's web site I'm scared already. ;) ) Whatever it turns out I'm pretty sure that it's time for a redesign. Perhaps not pre-Etch though. Well, you can always checkout the current website, improve it and apply patches. On http://www.debian.org/devel/website/ is described how it works. I'm interested in patches and proposals. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
(Mail redirected to debian-project, and to the Alioth team contact) On Wed, 06 Sep 2006, Raphael Hertzog wrote: This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o (alioth.debian.org) on a single host. This also means that the transition can't Thus guaranteeing that futher security incidents on a host that allows people to install software are now going to affect the version control systems. Please reconsider. svn/bzr/arch/git.d.o should run on an audited machine, where we have little access other than enough to do local repository maintenance, and where no untrusted software is allowed. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New website layout / design contest?
On Wednesday 06 September 2006 12:49, Chris Waters wrote: But people who aren't running Debian aren't (by definition) our users, so trying to attract them with shiny slow graphics and distracting color changes and annoying animations and excessive clutter and other hallmarks of modern websites is not our priority. Maybe you want we should use Flash everywhere too? There is some difference between the current appearance of debian.org and delusions from mabushi web designers called web 2.0. Don't claim that the appearance isn't important. A lot of people will prove you wrong. Just because you (and I) like the technical aspects of Debian better it does not mean that users don't care about appearance. My mother-in-law uses Debian and she has never in her life heard of dpkg or apt. And she prefers one instant messenger over the other just by the looks of the GUI. Our cantina is a good proof that ugly things can taste good. You are invited for a sample. :) And saying that our priorities are our users doesn't mean that we should try to dazzle our users with glitzy graphics and cool interfaces when they want help and information. The reason CSS was invented was to seperate design and content. We are not critisizing the content. The content is great. Anyway, I'm not opposed to the idea of a website redesign. But when people say, how can we make it look better rather than how can we make it work better, that worries me. For me design goes with functionality. And now I quit babbling before I start talking like a marketing dork. Cheers Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
On Wed, 06 Sep 2006, Christoph Berg wrote: Re: Raphael Hertzog 2006-09-06 [EMAIL PROTECTED] Alioth's web server was unavailable for most of the 5th of september. It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy. [...] On a related matter, we're preparing the move of Alioth to a new (and bigger) machine (called wagner.debian.org), and we'll make use of that opportunity to further strengthen the security measures as well as add more security checks. In that light, wouldn't it make sense to keep svn.debian.org separate from the highly exposed http://*.alioth.debian.org services? It could be argued that way. We decided to merge them for various reasons: - Many groups have their website under VCS control and would like to use the commit hooks to auto-update the website - Local (read-only) access to the repository can also be interesting for some specific web applications (cf my idea of web interface for the collaborative maintenance, http://wiki.debian.org/CollaborativeMaintenance) - Even if gforge was meant to be used on multiple machines, having gforge infrastructure on multiple machines is complicated and is already causing us numerous support request because people do not pay attention to the propagation delays between the change made on the web-interface. Having immediate SVN access once someone has been added is a nice enhancement for everybody. Concerning security: - the new Alioth will be hosted in a Xen host (wagner.debian.org will be restricted to Alioth admins only, whereas alioth.debian.org will point directly to the Xen host). This means it's easy to stop (or shutdown) the Alioth host for inspection, or to simply reinstall it from scratch. That's why while preparing the new Alioth, I'm documenting the configuration of all the services. - The most common security issues come up with web applications and thus concerns mainly the www-data user. The combination with a local exploit is less frequent and requires another hole in a packaged software. - We're running famke and are thus informed within 24 hours if some security updates are waiting to be installed. - Using Xen also has the advantages that it's easier to install a new kernel, and since official Xen Debian kernels will be shipped with etch, we'll have security support for that as well. - And last point, the new host will be firewalled, and will not allow incoming connections on random ports anymore. If I'd have more time I'd look further in things like SELinux or NuFW to impose additionnal restrictions on the www-data user or apache process. But external help is always welcome. :-) Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
On Wed, 06 Sep 2006, Marc Haber wrote: On Wed, Sep 06, 2006 at 12:25:54PM +0200, Raphael Hertzog wrote: Alioth's web server was unavailable for most of the 5th of september. It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy. Is it possible to rule out privilege escalation? It's almost impossible to rule out a perfect attack with a yet unknown security hole however we didn't find any sign that anything else was compromised. The kernel had been updated after the last gluck compromise, so it was not vulnerable to the known local root exploits. Also the password database should be safe since credentials for accessing the database are only made available by apache to PHP/CGI scripts installed in /usr/share/gforge/www/ (which is not writable to www-data). Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
Hi, On Wed, 06 Sep 2006, Henrique de Moraes Holschuh wrote: On Wed, 06 Sep 2006, Raphael Hertzog wrote: This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o (alioth.debian.org) on a single host. This also means that the transition can't Thus guaranteeing that futher security incidents on a host that allows people to install software are now going to affect the version control systems. Please reconsider. svn/bzr/arch/git.d.o should run on an audited machine, where we have little access other than enough to do local repository maintenance, and where no untrusted software is allowed. Running svn/bzr/arch/git on a separate machine adds very little security since all the accounts of costa are copies of the accounts on alioth. And the shell access is needed to be able to commit, to setup notifications, and to make private backups. If the attacker gets root rights after having compromised a web application, he will have access to the password database and will be able to crack them or simply change a password from a rarely used account and wait for it to be propagated to the other machine. If he doesn't get more rights than www-data, he won't be able to do anything to the VCS repositories. The reason why we moved svn.debian.org to a separate machine was more a disk and ressource issue than a security one. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Curso de Linux
Prezados, Estou em Recife e desejo fazer um curso de Linux que tenha a distribuição Debian, de preferência, como base. Vocês podem me informar algum curso aqui que utilize o Debian ou não, mas que seja recomendado. Tenho uma boa experiência em TI (há mais de 30 anos) e não gostaria de entrar em um curso daqueles extremamente básicos. Pretendo trabalhar com essa distribuição em nossos Clientes também. Desde já, grato pela atenção, Leonardo Leão Develop Tecnologia www.developtec.com.br 81.21023806 81.99338252 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security incident on Alioth and other Alioth news
On Wed, 06 Sep 2006, Raphael Hertzog wrote: Running svn/bzr/arch/git on a separate machine adds very little security since all the accounts of costa are copies of the accounts on alioth. And Time to fix that, then. If the attacker gets root rights after having compromised a web application, he will have access to the password database and will be able to crack them or simply change a password from a rarely used Just remove all password-based shell access, make it key-based only. Of course, to really close the hole, you need to periodically hunt down irresponsible users that upload gpg and ssh private keys to their accounts (password-protected or not, it doesn't matter). If he doesn't get more rights than www-data, he won't be able to do anything to the VCS repositories. However, getting more rights is just a matter of waiting for the next kernel exploit (just like the attacker did in the last @d.o compromise before Alioth). Unless Alioth updates kernels now on a very narrow time window, that even our security team is not capable of meeting? The reason why we moved svn.debian.org to a separate machine was more a disk and ressource issue than a security one. Well, maybe it is time to consider improving the security setup instead of making it worse... And that will be that much easier if the repositories are not sharing a box with the rest of gforge and user applications. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
