Hello, On Apr 13 12:29 Thomas Biege wrote (excerpt):
On 04/13/2016 11:05 AM, Johannes Meixner wrote:
On Apr 13 09:55 Thomas Biege wrote (excerpt):
You put the whole openSUSE community at risk.
Do you mean that any openSUSE community member who can configure his "osc" tool on his own local computer can put the whole openSUSE community at risk?
Well I assume that at least the credentials and the source code is transferred in plaintext and can be manipulated on the fly or captured.
Of course. But I would assume that anything that was uploaded onto OBS servers is checked before something gets accepted for an openSUSE product regardless how it had been uploaded? But I would also assume that anything in arbitrary openSUSE community member home projects could be arbitrarily bad.
The credentials can be used to impersonate the developer that doesn't use SSL/TLS, which will hurt more than one person.
Yes. If a well known openSUSE community member is impersonated by another person, that other person could cause some trouble for some time. But when all what is uploaded under the user account of that openSUSE member is checked before something gets accepted for an openSUSE product, nothing really bad should happen. For example if someone who seems to be "Thomas Biege" submits a "critical security bugfix" for one of "my" packages in OBS, I would nevertheless have a look if his submission seems to be o.k. for me. On the other hand I admit that someone where I think he is "Thomas Biege" could fool me with a sufficiently complicated "critical security bugfix" patch but then I would hope that a real openSUSE security team memeber would have another look if that stuff is really o.k. Kind Regards Johannes Meixner -- SUSE LINUX GmbH - GF: Felix Imendoerffer, Jane Smithard, Graham Norton - HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org