Update on Savannah compromise

Pavel Roskin proski at gnu.org
Mon Dec 15 09:08:22 UTC 2003


Hello!

As you probably know, savannah.gnu.org was compromised recently.  The
current status of the site can be found here:
http://savannah.gnu.org/statement.html

CVS access is anonymous only.  Write access will be restored using ssh2
keys.  Bugs and patches are unavailable.  I'm afraid it will take weeks
before Savannah is functional again.

There is a known good backup dated September 16.  The difference between
that version and the current CVS version has been posted here:
ftp://ftp.gnu.org/savannah/changesets/mc-changes.tar.gz

The changes are represented as separate diffs for every revision.  The
uncompressed size of mc-changes.tar.gz is 3.3 megabytes.  Changes in *.c
and *.h files under src directory alone comprise more than 800 kilobytes.

It will take a lot of time to review all those patches.  But it needs to
be done so that the project can go on.  This is a serious setback for the
project, but I'm sure Savannah and GNU Midnight Commander will overcome
the difficulties.

It was my decision to move development to Savannah.  I still believe it
was a right decision.  We are unlucky to have been hit, but I don't think
the GNOME repository was more secure at the time of the move.

I'll be on vacation between December 25 and January 11.  I'll try to check
the moderation queues for the mailing lists from time to time.  I hoped to
release version 4.6.1 before that, but now it's clear that it's not going
to happen.  However, I'll try to complete audit of the changes during the
next week.

If you have any patches or bugreports, please post them to this mailing
list while Savannah is down.  You may not get a fast reply, but it's still
better than to do nothing.

If Savannah doesn't recover by January 11, the development will be moved
elsewhere, probably to SourceForge.

-- 
Regards,
Pavel Roskin



More information about the mc-devel mailing list