On Thu, Feb 19, 2004 at 10:55:56AM +0100, Ingo Juergensmann wrote: > On Thu, Feb 19, 2004 at 10:23:33AM +0100, Wouter Verhelst wrote: > > > > Well, one could argue that basically nothing has changed. The threatening was > > > always there and always be there. And from time to time there's is and will be > > > a compromise. Nothing changed. > > Well, yes, there's a difference. As I pointed out previously, it makes > > not much sense trying to implement strict access controls from a small > > number of systems if OTOH, there's a much larger group of people for > > which the controls aren't relevant. If, however, without the large group > > of people, the to-be-closed-down group is sufficiently small (check), > > well-known (check), and the result if a break-in is potentially > > extremely harmful (check; ftp-master is, uh, ftp-master), then it > > suddenly makes a *lot* more sense to implement such access controls. > > I don't disagree here, but the way of how this is going to be obtained is > questionable. I don't see how. If you have some concern with an area that you think could make it easier for an attacker to be able to log into ftp-master.d.o, then take it up with James -- or, perhaps more appropriately, email@example.com. I'm sure that, if your concerns are justified, they'll be happy. > > > You can't totally secure an open project with thousands of developers. > > No, but you can secure a mirror archive network by restricting access to > > its main server, which is what James is doing. That's reasonable; > > hundreds of thousands of users depend on the integrity of our archive > > network every day; we can't risk, not even remotely, for the archive to > > be compromised. > > But then again you should take care of other issues. IMHO, accessing > machines by pub keys intead of passwords makes it easier to compromise a > larger number of machines. The two aren't connected. There are no thousands of users accessing ftp-master.d.o by pubkeys anymore; only a few admins (whom, I might hope, have their pubkeys protected by passwords) and some buildd machines (where the buildd can only run "/usr/bin/wanna-build" on the remote machine; everything else is not allowed by the sshd running on ftp-master.d.o). The fact that Debian Developers can put their SSH pubkey in the LDAP directory at db.debian.org isn't even remotely related. Again, if you have a valable suggestion that could increase the security and robustness of ftp-master.debian.org, please do communicate it to the admins. -- Wouter Verhelst Debian GNU/Linux -- http://www.debian.org Nederlandstalige Linux-documentatie -- http://nl.linux.org "Stop breathing down my neck." "My breathing is merely a simulation." "So is my neck, stop it anyway!" -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Description: Digital signature