[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: CONTRIB: CGI script for self-administering passwords in svnserve passwd files

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Thu, 05 Jun 2008 16:53:49 -0400

"C. Michael Pilato" <cmpilato_at_collab.net> writes:
> Hrm. It *is* pretty bad when you can't even perform an act of
> goodwill without hassle.
>
> That this is would be a contrib/ script implies that it is not
> community maintained, so I don't see any problem with letting you
> contribute the thing. All the software in our repository -- from
> Subversion itself to its tests to the tools and contributions -- are
> "Use at your own risk". Some of that risk might be mitigated by
> virtue of having extra eyeballs on pieces of the code, but it's still
> a risk to anybody who doesn't have full knowledge and understanding of
> the entirety of our codebase. (Which is pretty much everyone in the
> world, myself included.)
>
> glasser: Would you feel better about it if the script failed with:
>
> ERROR: Only one person is known to have reviewed this script for
> security consciousness. If you're down with that, please comment out
> this error message.
>
> ?

I say check it in to contrib/. The way to find bugs is to ship :-).

(only half in jest),
-Karl

> Jonathan Kamens wrote:
>> Greetings,
>>
>> Several months ago, I submitted to this list a CGI script to allow
>> users to change their own passwords in svnserve passwd files, and
>> suggested that the script be distributed in the Subversion
>> contrib. area. Several developers reviewed my code and provided
>> extremely useful feedback, which I incorporated.
>>
>> David Glasser subsequently offered to sponsor me for partial commit
>> access so I could add the script to the contrib. area, but he said
>> that he preferred for someone else to do a security audit before
>> doing so. He sent email to the list twice about this, the most
>> recent time being on April 9, asking for a volunteer to do the
>> security audit, but I’ve seen no responses.
>>
>> I’ve written the code. I want to give it away. It just needs
>> somebody to review it. Please, somebody help me out here. :-)
>>
>> See attached for the current version of the script.
>>
>> Thanks,
>>
>> *Jonathan Kamens*
>> *Operations Manager / Principal Engineer***
>> *Tamale Software*
>> 201 South Street, Floor 3
>> Boston, MA 02211
>> (617) 261-0264 ext. 133
>
> --
> C. Michael Pilato <cmpilato_at_collab.net>
> CollabNet <> www.collab.net <> Distributed Development On Demand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-05 22:54:24 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.