Quoting Helge Kreutzmann (debian@helgefjell.de): > Hello, > I finally created an account in pootle using http only (as I > understood, there is no https yet) which was really annoying as of > course the password went in plaintext over the (http) wire. After > creation, I got an *unencrypted* e-mail *including my password*, so > the plaintext password got sent over another "wire" again! > > I am really disappointed here - usually Debian takes pride to ensure > proper security and even before working with i18n.debian.net I > encounter two grave security problems which are well known and should > easily be avoided. Or is i18n.debian.net just one of the many projects > where security is bolted on later when something happend or a CVE > number has been assigned? > > And just after I finally logged in, I got "greeted" by a completely > empty white page :-(( So what ? You were warned about the current lack of high profile security in Pootle as we *already* talked about this in this very list. The Pootle developers themselves (at least Friedel) explained that they have plans to implements stuff such as OpenID or LDAP auth, but their development schedule and resources are currently focused on lpcalization-related functionalities more than security-related stuff (they have several GSOC projects running on this summer). If you dislike security in Pootle, that's fine by everybody around, just use something else. Pootle's use is not enforced for Debian localization. If you want to help improving the situation, the source is easy to get so please feel free to spend some time on this if you think that's something you absolutely need for your work. It would be welcomed as most of us also think this is something that we need. "churro" being currently "i18n.debian.net" and not "i18n.debian.org" is not an official Debian servce and you can't expect the security profile you would find on official Debian servers. This is how Debian works, just like "many other projects": things get done when someone cares enough to get them done. You care enough ? Then do it....or find someone to do it....or coordinate efforts to do it. And guess what? There are even bugs (such as what bringed you with an empty page). Maybe even things that aren't administered the way they should (Pootle is currently monitored by /me alone and I was on holidays). I absolutely dislike the tone of your mail so I really hope this was a bad time or that some external factors were motivating the unconstructive remarks it contained. I even regret answering to it but I really can't let such mails left unanswered.
Attachment:
signature.asc
Description: Digital signature