On Thu, Apr 4, 2013 at 4:16 PM, Dennis E. Hamilton <dennis.hamil...@acm.org>wrote:
> You're *still* understating the extent of the ceremony. They had to go > through everything a subsequently-invited committer had to do, even though > Sam Ruby provided the initial instructions. But thanks for mentioning the > iCLA. That is an useful object to have on file in tracking down a possible > credentials exploit. > > It helps identify the person whose credentials were stolen. This is hardly a consultation to the user whose machine is hacked. It doesn't prevent anything. But it does allow us to contact them and apologize for the embarrassment we caused them by not taking sensible precautions to reduce their authorization when they stopped being active with the project. > I agree that there are those who never showed up after being established. > Rob apparently knows who they are. I assume that any commits from those > (maybe even logons anywhere) will raise vigilant eyebrows. For double > measure, Andrea should have the list, posted on private@ too and maybe > filed in the PMC-private area. That should establish adequate oversight. > > I assume all checkins are reviewed, regardless of who they are from. And if we had supermen programmers who by their mere glance could detect every subtle error in code that could be exploited, and do this 100% of the time with perfect accuracy then I suppose we'd be fine. At that point, of course, I assume they would have found all the other bugs in OpenOffice as well, and our perfect programmers would give us perfect software. But none of these things are likely. In fact we know that is not true. That is why we occasionally need to issue security patches to fix *accidental* errors that crept into code. If we miss the accidental ones, then finding the obfuscated ones intentionally placed would be rather more difficult. > There are also a few committers who have announced their resignation and > not since rescinded it. Put those on that "watch list" also. > > I don't know what is to be done if any of those have used > @openoffice.orge-mail addresses in their iCLA and as their @a.o forwarding > address. I > suppose those are the best to attempt impersonating. The first act to be > accessing the profile of an user -- thus confirming the credential -- and > changing the forwarding address. Then opting-in should be relatively easy, > especially if the original @a.o-holder is not watching any lists here. > Having done that, a malefactor can proceed to establish a PGP signature > verified for the @a.o too. > > So, to lock this door, it is *really* necessary to lock-down those > committer profiles and remove their authz everywhere. To be reinstated, it > is probably necessary to convince the Secretary of the ASF that the request > is authentic. > > Or do what do right now. The last time there was concern about the Apache ID's, Infra just reset the passwords. Everyone had to request a new password which was sent to their email account of record. If their email account is down, then they would need to provide other acceptable proof. That might be slower. Note that unlikely that a committer re-appears after not doing anything for 2 years and has an urgent need to check in code. But if it does happen we have ways of making it work. But it should be extremely rare. -Rob > - Dennis > > -----Original Message----- > From: Rob Weir [mailto:robw...@apache.org] > Sent: Thursday, April 04, 2013 12:54 > To: dev@openoffice.apache.org > Subject: Re: Proposal: Improve security by limiting committer access in SVN > > [ ... ] > > But with OpenOffice, there was a two week period of time when we rapidly > bootstrapped the community by making people committers automatically, on > day 1. All they had to do is put their name on a wiki page and return an > ICLA and they were committers. No vetting, no vote. Quite a few of them > never got involved in the project in even the least degree. So we have > these phantom community members, with authorization to change the source > code. > > Regards, > > -Rob > > [ ... ] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > >
