[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: easy-to-get KDE svn accounts (was: qt-firefox.. again!)
From: Matthew Woehlke <mw_triad () users ! sourceforge ! net>
Date: 2007-07-18 22:45:06
Message-ID: f7m55i$3ql$1 () sea ! gmane ! org
[Download RAW message or body]
Ian Wadham wrote:
> I'm concerned that some script kiddy or an unscrupulous person with a
> commercial interest could slip in something nasty and not be detected
> until after release.
>
> Back in pre-history (late 70s) a US Air Force officer named Major Shell was
> charged with investigating the security of commercially-available operating
> systems for military use. So he assembled a team of hackers and set them
> to work. They found that it was ridiculously easy to penetrate any O/S,
> though the UNIX kernel stood up better than most. Shell was later promoted
> to Colonel (kernel?) for his efforts. Have fun with the puns, guys ... ;-)
>
> One of the things Shell's team did was to bluff the reception desks at
> suppliers' software labs, wander up to a screen in an office somewhere
> and stick a trapdoor into the code under development.
Hmm... but, what was the state of VCS back then? :-) Did they have
commitfilter and dozens of people reviewing (at least cursorily) every
change made to the code? Did they have *any* code review process that
wasn't dependent on the cooperation of the developers? (In fact, how
many companies have automatic commit messages even today?)
> It seems to me that a SVN account offers somewhat similar access, except
> that an attacker could be half a world away ... It's just something to keep
> in mind, now that KDE is becoming larger in numbers of developers and a
> juicier target in the marketplace.
One difference (that is hopefully significant! :-) ) is that, as an open
source project*, anyone can inspect the source code for such holes, not
just a small group of developers.
(* KDE is of course Free Software as well, although that isn't crucial
for this point.)
--
Matthew
"A mouse is a device used to point at the xterm you want to type in."
--Kim Alm, A.S.R.
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic