[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: CONTRIB: CGI script for self-administering passwords in svnserve passwd files

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Thu, 05 Jun 2008 16:02:37 -0400

Hrm. It *is* pretty bad when you can't even perform an act of goodwill
without hassle.

That this is would be a contrib/ script implies that it is not community
maintained, so I don't see any problem with letting you contribute the
thing. All the software in our repository -- from Subversion itself to its
tests to the tools and contributions -- are "Use at your own risk". Some of
that risk might be mitigated by virtue of having extra eyeballs on pieces of
the code, but it's still a risk to anybody who doesn't have full knowledge
and understanding of the entirety of our codebase. (Which is pretty much
everyone in the world, myself included.)

glasser: Would you feel better about it if the script failed with:

     ERROR: Only one person is known to have reviewed this script for
     security consciousness. If you're down with that, please comment out
     this error message.

?

Jonathan Kamens wrote:
> Greetings,
>
> Several months ago, I submitted to this list a CGI script to allow users
> to change their own passwords in svnserve passwd files, and suggested
> that the script be distributed in the Subversion contrib. area. Several
> developers reviewed my code and provided extremely useful feedback,
> which I incorporated.
>
> David Glasser subsequently offered to sponsor me for partial commit
> access so I could add the script to the contrib. area, but he said that
> he preferred for someone else to do a security audit before doing so.
> He sent email to the list twice about this, the most recent time being
> on April 9, asking for a volunteer to do the security audit, but I’ve
> seen no responses.
>
> I’ve written the code. I want to give it away. It just needs somebody
> to review it. Please, somebody help me out here. :-)
>
> See attached for the current version of the script.
>
> Thanks,
>
> *Jonathan Kamens*
> *Operations Manager / Principal Engineer***
> *Tamale Software*
> 201 South Street, Floor 3
> Boston, MA 02211
> (617) 261-0264 ext. 133

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2008-06-05 22:02:52 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.