RE: [PHP-DEV] CVS Account Request From: Rasmus Lerdorf (rasmus <email protected>)
Date: 11/15/00

> Do you guys remember the people who hacked apache.org? They did it just to
> show how easy it is, and if they weren't 'white hats', they could have
> easily injected bogus code into the most popular Web server in the
> world. PHP is the most popular opensource Web language in the world, and
> we shouldn't make it easier for hackers to get in.

That was a completely separate situation. And nothing that has been
mentioned here would do anything to prevent such an attack on PHP. The
Apache.org hackers got in through a badly configured web server/ftp server
configuration and gained root through a bogus bugzilla configuration.
Whether or not we have extra cvs accounts in our pserver password file
makes no difference whatsoever to server security. The basic problem at
apache.org was that each person with cvs access automatically got an
account on the main apache server. And many of these people got root
access. There were too many people doing too many things at once on that
particular box. Since a cvs account does not imply a server account in
the PHP project I don't see where this comparison is applicable.

-Rasmus 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>