[Savannah-hackers] RE: Status of savannah : TSP

[TSP]

Hello,

I got some difficulties to update my password : My email address changed
last year from address@hidden to address@hidden And I forgot
to update my email address, and the ASTRIUM admin deactivate it recently.

How can I got a way to update my password so, because the automatic
procedure "Lost password" send a mail to my last address ? It's the same
thing for the user yduf (my developer account).
Could you change both to the new domain astrium.eads.net ?

Thank you in advance for your help, and sorry to bother you with such simple
things.

Best Regards
YD

-------------------------------------------------------------------
Yves DUFRENNE
Expert in Software Avionic Facilities
EA54/Astrium
31 Rue des Cosmonautes, 31400 Toulouse, France
Tel.: +33-5-6219 7150, Fax: +33-5-6219 7741
-------------------------------------------------------------------

> -----Original Message-----
> From: Bradley M. Kuhn [mailto:address@hidden
> Sent: Tuesday, December 23, 2003 7:18 AM
> To: address@hidden
> Subject: Status of savannah.{gnu,nongnu}.org 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>                                          Monday 22 December 
> 2003, 19:51 EST
> 
> Dear Savannah Users,
> 
> As you know, savannah.gnu.org and savannah.nongnu.org have 
> been down for a
> number of weeks due to a system crack.  Thanks to the contributions of
> many people -- most notably Mathieu Roy, Jim Blair, and Paul 
> Fisher -- the
> system is working again for existing projects.
> 
> We have implemented a new security infrastructure that uses chroot'ed
> environments to isolate each project.  We have of course tightened up
> security, but even if that tightened security is compromised for a
> particular project, the cracker can most likely only impact that one
> project.  Please read this whole statement in detail before 
> beginning work
> again.
> 
> As part of the security changes, there are nine user-visible 
> changes of
> particular interest.  Six of those changes are implemented 
> now (three of
> which are temporary), and two will be implemented later.  They are as
> follows:
> 
>    (0) All passwords were invalidated.  You will need use the "Lost
>        Password" option to regain access.  (Click on "Login 
> via SSL" and
>        then the "[Lost Password?]" link.)  Expect an email 
> shortly once
>        you've clicked that link.  If you do not receive the 
> email within a
>        very short time period to the address you had on file with your
>        account, please write to <address@hidden>.
> 
>        Once you have access again, please check the developer and
>        administrator lists for all your projects, and be sure that you
>        recognize all the email addresses and user accounts attached to
>        your projects.  It is up to each user to vigilantly 
> check the other
>        authorized users, just as it was to check the integrity of your
>        source.
> 
>    (1) All authorized SSH keys have been removed from the 
> database.  Once
>        your account is reactivated, you must again upload 
> your SSH key.
>        We now only accept SSHv2 keys.  Although the web interface will
>        allow you to upload SSHv1 keys, they will not function 
> to give you
>        access.  Only SSHv2 keys will provide access and 
> savannah will only
>        accept SSHv2 connections.
> 
>    (2) Anonymous CVS access will continue, but pserver access has been
>        discontinued.  We realize that many have become 
> accustomed to this
>        form of anonymous access, but we found many security 
> problems in
>        pserver and we must avoid it.  Anonymous access can 
> now occur via
>        SSHv2.  To do so, use the following CVSROOT:
> 
>               :ext:address@hidden:/cvsroot/PROJECT
>        or
>               :ext:address@hidden:/cvsroot/PROJECT
> 
>        So, for example, to get an anonymous checkout of the GNU Emacs
>        sources, you would run the following on the bash command line:
> 
>               export CVS_RSH="ssh"
>               cvs -d 
> :ext:address@hidden:/cvsroot/emacs co emacs
> 
>        The first time you do this, you will be prompted by SSH to
>        authenticate the server's key fingerprint.  See (3) below for
>        details.
> 
>        Note that since only SSHv2 is accepted, you must be 
> sure that your
>        ~/.ssh/config does indicate use of "Protocol 1" with
>        savannah.gnu.org and savannah.nongnu.org.
> 
>        If you are absolutely unable to use this method for anonymous
>        access, and you rely on anonymous access, please contact
>        <address@hidden>.  Since SSH is now ubiquitously
>        available on Free Software systems, we believe that 
> requiring SSH
>        to be installed locally to gain anonymous access from 
> savannah is
>        not burdensome.  If it turns out to burden you, please 
> contact us.
> 
>        In fact, this new method authenticates and secures all 
> anonymous
>        access, and anonymous users are now safe from 
> person-in-the-middle
>        attacks when they verify the SSH host keys.
> 
>    (3) The host SSH keys for savannah.gnu.org, savannah.nongnu.org,
>        subversions.gnu.org, etc. have changed.  They are as follows:
> 
>            DSA 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5
>            RSA 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5
> 
>        You will prompted for these the first time you use SSH 
> to connect.
>        If you have older keys stored in your known_hosts 
> file, you may get
>        a message that says there is a "nasty problem".  If 
> so, remove the
>        offending entry from your ~/.ssh/known_hosts, and 
> reconnect.  SSH
>        will prompt you to authenticate anew with one of the 
> keys above.
> 
>    (4) Temporarily, we are unable to approve new projects on 
> savannah.  We
>        expect to begin accepting new projects before the end 
> of January
>        2004.  We have to reimplement project creation scripts 
> to adhere to
>        the new chroot structure.
> 
>    (5) Temporarily, the file distribution areas for releases are not
>        functioning.  We hope to make them functional again in 
> January 2004
>        and secure them by using a similar system to that now used on
>        ftp.gnu.org.
> 
>    (6) Temporarily, all web CVS trees are not functioning.  It is
>        currently not possible to work on the CVS trees for 
> websites using
>        savannah.  We hope to fix this in mid-January 2004.
> 
>    (7) In early January 2004, we will record for each project 
> whether or
>        not the developers have checked their integrity using 
> the data in
>        previously-posted announcements.  The indicator will 
> be similar to
>        the "is GNU"/"is not GNU" indicator on the main project page.
> 
>    (8) You will later be required to upload a GnuPG key.  We 
> are working
>        on changes that will require GPG-signing of all CVS 
> commits.  That
>        functionality is not yet available, but when it is, we plan to
>        make it mandatory to ensure the integrity of all 
> software hosted
>        on Savannah.
> 
> 
> Finally, I want to thank all of your for your patience while 
> we worked to
> resolve these problems.  I know that many of you have been 
> considering for
> the past few weeks switching to another project development 
> site.  I don't
> blame you for considering that.  However, I ask now that you decide to
> stay.  We have learned from this experience how to harden the 
> system to be
> less susceptible to cracking, and the changes we've made will not only
> help to prevent future cracks, but will mitigate the damage 
> such a crack
> can cause.  The GPG-signing features that we plan to add in the coming
> months will (at least at first) be unique among project 
> hosting sites, and
> ensure the integrity of your software to the greatest degree that is
> humanly possible.
> 
> Meanwhile, Loic Dachary has coordinated the acquisition of 
> new, redundant
> servers in France, and we will work over the coming months to 
> make them
> (at first) read-only mirrors of the existing savannah (that 
> can be turned
> immediately live upon the occurrence of the crack).  In addition, as
> Executive Director of FSF, I am committed to implementing 
> protocols and
> procedures over the next few months designed to limit 
> downtime to a matter
> of hours in the case of a crack.
> 
> This crack comes on the heels of cracks against many other 
> Free Software
> project sites; the crack of savannah is not an isolated 
> incident.  We must
> work together as a community to weather these incidents.  For 
> our part,
> this meant long hours and late nights over the past weeks to 
> harden the
> system, and more hard work to improve our disaster recovery 
> plans.  We ask
> that you make a contribution by sticking with us now that 
> we've hardened
> the system and work with us to keep the system secure for 
> Free development
> and software sharing.
> 
> 
> Sincerely,
> 
> Bradley M. Kuhn
> Executive Director, Free Software Foundation
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE/55J853XjJNtBs4cRArnIAJ4gz/8rCx9TEXQ1tSdQDe2r9NZPTQCgpbL8
> Sfd0jTjsYsUdBCk9106t5wE=
> =pqRL
> -----END PGP SIGNATURE-----
> 
>

important_notice.txt
Description: Text document