www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <he...@cs.uu.nl>
Subject Re: any issues related to the people.apache.org attack
Date Wed, 02 Sep 2009 15:11:44 GMT
On Wed, 2 Sep 2009, Carlos Sanchez wrote:

> Date: Wed, 2 Sep 2009 16:27:46 +0200
> From: Carlos Sanchez <carlos@apache.org>
> To: repository@apache.org
> Cc: Henk P. Penning <henkp@apache.org>
> Subject: Re: any issues related to the people.apache.org attack
> Sender: carlossg@gmail.com
> 
> I've got some sync mails (subject: [repo] /www/people.apache.org/repo/...)
>
> last gpg check using Henk script is from Aug 26 with 3 bad signatures
> from Wesley Wannemacher,
>   http://people.apache.org/~henkp/repo/
>
> BTW, I noticed the script only checks
> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
> should it be updated to check all /www/people.apache.org/repo/ ?
> or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?
>
> seems it checks just the last month, if timestamps are altered it may
> not detect it?

   True ; they go unnoticed.

   The rationale for checking only last month's files is that

   1. errors are not always corrected ; new 'errors' would
      disapear in the flood of 'old' uncorrected errors ; see

        http://people.apache.org/~henkp/repo/20080724.html

      it contains a check of the whole (org/apache/) tree at
      2008-07-24 ; I don't think many errors were corrected,
      but I may be wrong there.

   2. The repo is just too big ;
      /www/people.apache.org/repo/ contains 524191 files.
      /repo/m2-ibiblio-rsync-repository/ contains 104276 files.
      /repo/m2-ibiblio-rsync-repository/org/apache contains 103719 files,
      with 541 files younger than a month, based on timestamp.

   It appears it would be feasible to check last month's files in
   /repo/m2-ibiblio-rsync-repository/ ; would that be useful ?

   The integrity protection of 524191 files requires an entirely
   different mechanism than checking the integrity of some 500 files.

   Regards,

   Henk Penning

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/                 M penning@cs.uu.nl  \_/

Mime
View raw message