[Project_owners] XPI security issues

Pete Collins pete at mozdev.org
Fri Jan 23 09:39:06 EST 2004


> I see 2 hard-to-solve security problems at mozdev.org:
> 
>    * No checks for projects owners or source code
>      Any malice person could create a project on mozdev, maybe just
>      something very simple but useful like a new context menu item, and
>      hide malicious code in there.
>      Also, many project owners are not very proficient in security
>      matters and may unintentionally introduce holes.

This is true. There is no reasonable way to ensure the integrity of all 
the projects on Mozdev other than adhering to the natural evolution of 
free software. If a rogue project evolves, then we will shut it down. 
How does source forge deal w/ this issue?

>    * Server security
>      mozdev.org servers have been rooted at least twice. 

This *new* box has never been rooted or compromised. To my knowledge we 
were rooted about three years ago when we were running ftp. I think that 
happened twice before I shut down ftp service for good. The root kit 
allowed uploading to the anonymous ftp dir so pirated software can be 
served, thus sucking an enormous amount of bandwidth. We reinstalled w/ 
trusted media immediately after.

incidentally, the crakers originated from Germany. I think I even 
remember you translating some of the cracker files I found.

> This is in
>      part due to the large number of services running on these hosts.

In large part due to ftp which has been shut down for years now.

>      As soon as a CVS server is rooted, you have to treat *all* the
>      code in the CVS repository (that means *all* source code in *all*
>      projects) as untrusted and potentially malicious, even the source
>      for your own project.* That's why I think it's best to have CVS on
>      a dedicated machine, where *only* CVS runs.

I have been adamant about keeping cvs secure. We are running v, 1.11.11 
which is the latest most secure stable release version to date.

> *When the Debian download servers got rooted (which is bad enough), they 
> re-installed most servers from scratch and checked all downloads against 
> other copies.

Mozdev has been reinstalled on a new server and OS last July after the 
old Linux box we were on crashed and burned after a DOS attack.

Everyone is responsibe and accountable for the integrity of their own 
projects.

--pete

-- 
Pete Collins
www.mozdev.org
www.mozdevgroup.com



More information about the Project_owners mailing list