On 04/13/2016 11:05 AM, Johannes Meixner wrote:
Hello,
On Apr 13 09:55 Thomas Biege wrote (excerpt):
You put the whole openSUSE community at risk.
Do you mean that any openSUSE community member who can configure his "osc" tool on his own local computer can put the whole openSUSE community at risk?
Well I assume that at least the credentials and the source code is transferred in plaintext and can be manipulated on the fly or captured. The credentials can be used to impersonate the developer that doesn't use SSL/TLS, which will hurt more than one person. -- Viele Grüße / Best regards Thomas -- Thomas Biege <thomas@suse.de>, Team Lead MaintenanceSecurity, CSSLP https://www.suse.com/security SUSE Linux GmbH, GF: Felix Imendoerffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nuernberg)