savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Re: [Savane-dev] [IMPORTANT] GNU Savannah migration f

From: Lorenzo Hernandez Garcia-Hierro
Subject: [Savannah-hackers] Re: [Savane-dev] [IMPORTANT] GNU Savannah migration from Savannah (the Software) to GForge - Why?!
Date: Sun, 11 Apr 2004 14:09:13 +0200 
Hi Richard,

> I'd like people to understand that we are not still considering the
> question.  It is a final decision to switch to Gforge.

Final decision ? Why not considering of giving some time to check if GForge
is really the thing that can replace Savane ? and, what specific reasons can
you give to us ?
is it more secure ? is it more efficient ? is it providing things that
Savane doesn't have ?
in this case , why not consider to propose them in savane-dev list at !Gna ?

> I will give a brief explanation.  We cannot continue using the
> Savannah software because we have no one to maintain it properly.
> GForge is maintained seriously.  Therefore we will switch to GForge.

AFAIK Mathiu Roy is currently a really good maintainer of the project , and
, what about the
other developers ? 9 people is "no one" ?

There is a thing i don't understand , i've seen in some lists that a
possible reason is that " Savane is not secure enough"
but this is not true , Savane is like other software , it has bugs/holes
that are discovered by accident or by a source audit.
The first only happens when the system is compromised , the second occurs
when developers think that it is not secure at all.
I've contacted the people of the project due to a source audit i made in
Savane ,  the response was perfect and the things went
quickly , now Savane is a really good software except one thing: it uses old
unsecure features of PHP , this problem will be solved
when the NRG branch ( that solves this problem ) gets merged with the trunk.

In the case of security , i want to talk about GForge ( i've get the source
and i am looking at it ):

As example of the same problem ( register_globals use ) , GForge shares the
same with Saven,
just look at /www/sendmessage.php line 16.
Variables are not set by method , are registered as globals.
I found some funny "holes" in the code , that are affected by the above
reason:
Look at source.php , line 16-17:
bad use of $sys_show_source implies that ANYBODY can see the source of
anyfile and bypass the protection by setting boolean value of that variable,
example:
http://gforge.org/source.php?file=source.php
denied , so , use
http://gforge.org/source.php?sys_show_source=true&file=source.php , now you
can see sources with "permission".
i will check later the rest of the code.
false sense of security is more dangerous that a real security problem.

> I don't have time to discuss this further.  I am in the hospital and
> falling behind on my other work.

Ok , i wanted to tell my opinion , sinceriously,
Best regards.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]