[scribus-dev] CVS (not SVN!) access has been shut down

Craig Ringer craig at postnewspapers.com.au
Sun May 18 21:14:05 CEST 2008

Hash: SHA1

Hi all

With the recent Debian OpenSSL fun, the time has come for me to shut
down CVS access. It hasn't seen a blip of activity since we went over to
svn, and some of the keys were trivially brute-forceable. Earlier (a
couple of days earlier, actually, I just didn't get around to posting
the note) I removed all authorized_keys files and locked all local
accounts. This will prevent unauthorized access even if any s|<ript
|<iddi3 reconfigures their automated cracking tool to probe for ssh
servers on nonstandard ports and they have the hours required to get
their botnet to bruteforce the weak keys.

http://img528.imageshack.us/img528/5404/tcv80ipepkza7.jpg    (Thanks
xkcd.com, so widely ripped off)

The only thing left that might be at risk is the SSL key used by the
https server. I'll be re-generating that shortly just in case, but the
new key will be signed by the same (strong, safe) Scribus CA as the old
one so you shouldn't get any prompts.

This CVS account shutdown has absolutely no effect on svn, of course.
Even SVN sync/replication is being done over HTTPs. SVN accounts do not
correspond to local host accounts and are not affected by account locking.

If you do notice anything, please let me know - but you shouldn't.

As for backups: I'm still taking periodic snapshots of the svn file
system and copying them off the svn host. I can see at least one IP
taking full dumps of the history using the svnsync script, too, which is
good. Has that actually been tested to create a new working repository
from the dump recently?

- --
Craig Ringer

Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the scribus-dev mailing list