[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why the insecure services??

On Tue, 11 Dec 2001, Jonathan Hseu wrote:

> http://db.debian.org/ allows login via the web both securely and insecurely.
> Why even give the option of an insecure login that will give away the password
> in cleartext?
> Every developer _should_ have crypto web capabilities... after all, every
> developer _does_ have a GPG key, and we often use ssh to login to machines.
> Thus, having crypto for web browsers should not be a problem.  So, which
> developers would need the insecure login?


> On a same, but less severe note: why allow anonymous FTP uploads?

Because you can't upload anything into the archive without a gpg-signed
.changes (which in turn contains md5sums of the uploaded files). That's a
lot safer than the plaintext-passwords in a non-anonymous FTP upload...

wouter dot verhelst at advalvas dot be

"Human knowledge belongs to the world"
  -- From the movie "Antitrust"

Reply to: