[scribus-dev] CVS (not SVN!) access has been shut down
craig at postnewspapers.com.au
Sun May 18 21:14:05 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
With the recent Debian OpenSSL fun, the time has come for me to shut
down CVS access. It hasn't seen a blip of activity since we went over to
svn, and some of the keys were trivially brute-forceable. Earlier (a
couple of days earlier, actually, I just didn't get around to posting
the note) I removed all authorized_keys files and locked all local
accounts. This will prevent unauthorized access even if any s|<ript
|<iddi3 reconfigures their automated cracking tool to probe for ssh
servers on nonstandard ports and they have the hours required to get
their botnet to bruteforce the weak keys.
xkcd.com, so widely ripped off)
The only thing left that might be at risk is the SSL key used by the
https server. I'll be re-generating that shortly just in case, but the
new key will be signed by the same (strong, safe) Scribus CA as the old
one so you shouldn't get any prompts.
This CVS account shutdown has absolutely no effect on svn, of course.
Even SVN sync/replication is being done over HTTPs. SVN accounts do not
correspond to local host accounts and are not affected by account locking.
If you do notice anything, please let me know - but you shouldn't.
As for backups: I'm still taking periodic snapshots of the svn file
system and copying them off the svn host. I can see at least one IP
taking full dumps of the history using the svnsync script, too, which is
good. Has that actually been tested to create a new working repository
from the dump recently?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the scribus-dev