Sourceforge break-in and Python 2.1 security 
Author Message
 Sourceforge break-in and Python 2.1 security

Hello,

I've been reading the reports of the break-in into SourceForge with
increasing alarm and I'm wondering if there is a security protocol in
place that guarantees the integrity of the python code being developed
there.

That is, should I worry that "Fluffy Bunny" claims that he broke into
SourceForge 5 months ago and I downloaded Python 2.1 after that?

--
------------------------------------------------------

Mamey - Internet Programming   http://www.*-*-*.com/
------------------------------------------------------
--



Wed, 19 Nov 2003 03:47:54 GMT  
 Sourceforge break-in and Python 2.1 security
[Andres Corrada-Emmanuel

Quote:
> I've been reading the reports of the break-in into SourceForge with
> increasing alarm and I'm wondering if there is a security protocol in
> place that guarantees the integrity of the Python code being developed
> there.

Yes, with the US$500,000.00 seed money kindly contributed by the community,
we hired a battalion of guards to watch each byte 'round the clock <wink>.

Quote:
> That is, should I worry that "Fluffy Bunny" claims that he broke into
> SourceForge 5 months ago and I downloaded Python 2.1 after that?

"Can", sure, "should" depends on whether you want a life.  Any effective
change to the source code would have shown up on each developer's machine at
their next update, and most of us pay attention to which files have changed.
So even without particular effort, chances are good someone would have
caught a bogus change.  Someone clever and knowledgable about Python
internals, who watched the Python checkin-list for a ripe opportunity, could
have snuck in a change related to a recent checkin that would escape casual
notice or even superficial scrutiny.  But that would take some work and
nobody would be impressed -- on ego-bang for the buck, cracking Python is a
no-payback game.

"kewl!-i-cracked-a-system-with-no-security-at-all!"-ly y'rs  - tim



Wed, 19 Nov 2003 04:06:39 GMT  
 Sourceforge break-in and Python 2.1 security
I'm running 2.1 and I am not worried.  I am not worried because
statistically speaking, people who break into things and then talk
about it are majorly interested in making people worried, which is why
the most shallow of them just make the talk wihtout the breaking.
Getting you to make postings like you did is the point.  Now they can
tell all their friends that they made Tim Peters say something, which
the rest of us implement by saying `hi Tim'.

The next class of people change your software by globally changing
all instances of FooMaker into fooMaker.  Unless they are lame and
forget a file, or you are lame and have a FooMaker and a fooMaker
(which you might not be lame for, given certain types of coding
standardization which indeed requires you to have fooMaker objects
in the FooMaker class) they are no problem.  They are a {*filter*}y
annoyance as you change the code back, but not a real problem
for anybody who doesn't have to work on the code.  (Unless you
are teaching some hard coding standardization of variable names
and they break your convention so your teaching goes to hell. Be
careful with your changes, gang.)

These people need some really hard unsolved algorithms in the more
mathematical disciplines or math itself to occupy their bored
little minds. But those of us who have _got_ some unsolved
algorithms don't waste our time on pond scum, so we are of absolute
no use in keeping the word a safer place by giving them something more
cool to do than be pests.

Then there are the real problems.  They are real rare, and generally
get about because something is real popular (hey! lets do a denial of
service attack on Ebay. wouldn't that be cool?) or because they
hate you (Tim Peters is a total fool.  He said something wrong about
floating point _once_ in the last 10 years.  Let us make his life
hell.)  If it turns out that Tim Peters is up against that war,
and has chosen to not talk about it, then we need to immediately
back him unconditionally by ignoring it totally especially because
we do not understand what is going on.  Whatever it is, Tim Peters
has decided to not talk about it.  Hush.  (thus breaking the
rule, Tim Peters gets one free crack at calling  me pond scum,
because I know better, redeemable any time he likes.)

<but I am nice pond scum with a broken hyphen key it seems>
Laura



Wed, 19 Nov 2003 05:16:43 GMT  
 Sourceforge break-in and Python 2.1 security
If you are worried about the authenticity of your download you can check
them against the md5's posted on the Python site, on the downloads page.

Michael


Quote:
> Hello,

> I've been reading the reports of the break-in into SourceForge with
> increasing alarm and I'm wondering if there is a security protocol in
> place that guarantees the integrity of the Python code being developed
> there.

> That is, should I worry that "Fluffy Bunny" claims that he broke into
> SourceForge 5 months ago and I downloaded Python 2.1 after that?

> --
> ------------------------------------------------------

> Mamey - Internet Programming   http://www.mamey.com
> ------------------------------------------------------
> --



Wed, 19 Nov 2003 09:38:33 GMT  
 Sourceforge break-in and Python 2.1 security


Quote:
> Hello,

> I've been reading the reports of the break-in into SourceForge with
> increasing alarm and I'm wondering if there is a security protocol in
> place that guarantees the integrity of the Python code being developed
> there.

> That is, should I worry that "Fluffy Bunny" claims that he broke into
> SourceForge 5 months ago and I downloaded Python 2.1 after that?

> --
> ------------------------------------------------------

> Mamey - Internet Programming   http://www.mamey.com
> ------------------------------------------------------
> --

I just want to meet Fluffy Bunny!


Fri, 21 Nov 2003 04:47:50 GMT  
 Sourceforge break-in and Python 2.1 security

Quote:
>These people need some really hard unsolved algorithms in the more
>mathematical disciplines or math itself to occupy their bored
>little minds. But those of us who have _got_ some unsolved

        No, these people need a small shovel and a large stable.

--
--
http://www.apa.org/journals/psp/psp7761121.html
It is one of the essential features of such incompetence that the person so
afflicted is incapable of knowing that he is incompetent. To have such
knowledge would already be to remedy a good portion of the offense.



Fri, 21 Nov 2003 16:10:06 GMT  
 Sourceforge break-in and Python 2.1 security

Quote:

> >These people need some really hard unsolved algorithms in the more
> >mathematical disciplines or math itself to occupy their bored
> >little minds. But those of us who have _got_ some unsolved

>         No, these people need a small shovel and a large stable.

Or just the shovel, correctly applied.

Quote:
> --
> http://www.apa.org/journals/psp/psp7761121.html
> It is one of the essential features of such incompetence that the person so
> afflicted is incapable of knowing that he is incompetent. To have such
> knowledge would already be to remedy a good portion of the offense.

--
      Joal Heagney is: _____           _____
   /\ _     __   __ _    |     | _  ___  |
  /__\|\  ||   ||__ |\  || |___|/_\|___] |
 /    \ \_||__ ||___| \_|! |   |   \   \ !


Sat, 22 Nov 2003 21:53:09 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. Python 2.1 == Jython 2.1 != Python 2.2?

2. Broken configure script for solaris in 2.1?

3. isa broken in [incr Tcl] 2.1?

4. Cygwin Python Distribution (was ANNOUNCE: Python 2.1 final release)

5. Newbie Help -- Python 2.1 - MySQL-python-0.9.0

6. Cygwin Python Distribution (was ANNOUNCE: Python 2.1 final release)

7. Cygwin Python Distribution (was ANNOUNCE: Python 2.1

8. Cygwin Python Distribution (was ANNOUNCE: Python 2.1 final release)

9. Python 1.5 v Python 2.1

10. Link problem embedding Python, gcc, Python 2.1, Suse7.3

11. Python 2.1 syntax to Python 1.5.2

12. Python Popularity, python at sourceforge

 

 
Powered by phpBB® Forum Software