[Tiger-devel] Information regarding Savannah compromise [Fwd: Tiger security tool (group #2247) audit report (OK)]

[Javier Fernández-Sanguino Peña]

(First off I'm sending this announcement to all list but future 
announcements will only be sent to tiger-announce, please subscribe to that 
list too, thanks)


Just for your information, I have just sent this mail to the Savannah 
admins. The bottom line is:

- CVS sources have been audited (by both Ryan and me) and are OK.

- Downloadable files have _not_ been audited yet (but when back online at 
http://savannah.nongnu.org/download/tiger/ they should include MD5sums and 
gpg signatures) Please check them yourself before using them.

As described in the Homepage, however, the sources available from Debian at 
http://ftp.debian.org/debian/pool/main/t/tiger/ (and mirrors) are OK. The 
Debian mirrors carry MD5sums (but not signatures, since the whole archive 
is signed itself).

Regards

Javier Fernandez-Sanguino

----- Forwarded message from Javier Fernández-Sanguino Peña <address@hidden> 
-----

From: Javier Fernández-Sanguino Peña <address@hidden>
Date: Thu, 8 Jan 2004 11:45:22 +0100
To: address@hidden
Cc: Ryan Bradetich <address@hidden>
Subject: Tiger security tool (group #2247) audit report (OK)

Hi, 

First of all Happy New Year and thank you for all the work being done in
the restoration of Savannah services.

With respect to the Tiger security tool (group #2247) I have recently 
manually audited:

- the CVS diffset provided by you for the project sources (post-compromise 
CVS and backup copy) 

- the HEAD CVS branch against my local copies of the project's source code
(this audit has also been done, at least, by Ryan Bradetich, rbrad, an 
active member of the project)

- the web pages CVS

We have _not_ found any suspicious files or differences which might lead us 
to believe that the source code has been compromised. All the differences 
I've found in the HEAD branch have been introduced by myself (outside the 
CVS sources)

We are thus starting to work, once again, with the Savannah CVS sources.

In any case, I would appreciate if a method to backup the whole CVSROOT 
tree was posted in the Savannah site (preferably under the CVS pages). It 
would be in the benefit of all admins if Savannah posted a full CVSROOT 
tar.gz copy that admins could download periodically. This would provide a 
way to do future audits in the event of another compromise.  Maybe 
providing a way to syncronize backup (local) CVS servers could be 
appropiate (maybe through CVSsync [1] or Unison?)

Finally, I would very much like to see a detailed documentation on the 
changes introduced on the Savannah site (chroot setup) not only to satisfy 
my curiosity but also so that other free software hosting projects (Berlios 
and Alioth) can improve also their security. Hopefully, you will have also 
considered this and are talking with those site admins.

Thanks again for all your hard work, it is really appreciated.

Regards

Javier Fernandez-Sanguino

[1] http://www.cvsync.org/
[2] http://www.cis.upenn.edu/~bcpierce/unison/



----- End forwarded message -----

--

signature.asc
Description: Digital signature