RE: [PHP-DEV] CVS Account Request From: John Donagher (john <email protected>)
Date: 11/15/00

The apache hack was a system-level vulnerability which is something any software distribution repository is vulnerable to.

I tend to agree with Rasmus on this one. Although someone could certainly commit malicious code to the repository, the likelihood of someone relatively unknown (like me) slipping code past the subscribers of php-cvs is probably not an easy thing. I don't think cutting off so many potential contributors at the ankles would be beneficial to PHP's evolution.

John

On Wed, 15 Nov 2000, Zeev Suraski wrote:

> At 23:17 15/11/2000, Mike Robinson wrote:
> >Rasmus wrote:
> >
> > > We have yet to have a problem and it feels to me like you
> > > are trying to fix something that isn't broken.
> >
> >IMHO, bingo.
>
> I was actually meaning to try and test this system, by applying from a fake
> Email, obtaining access, and injecting a security hole into the source
> tree, just to show how easy it is. I finally decided against it, mainly
> due to lack of time.
>
> Do you guys remember the people who hacked apache.org? They did it just to
> show how easy it is, and if they weren't 'white hats', they could have
> easily injected bogus code into the most popular Web server in the
> world. PHP is the most popular opensource Web language in the world, and
> we shouldn't make it easier for hackers to get in.
>
> In my opinion, waiting for such a thing to happen instead of fixing it
> beforehand is, well, not-smart.
>
> CVS ACL's may be the best solution, I'm not too familiar with what you can
> and cannot do with them yet.
>
> Zeev
>
>
> --
> Zeev Suraski <zeev <email protected>>
> CTO, Zend Technologies Ltd. http://www.zend.com/
>
>
> 

-- 

John Donagher
Application Engineer
Intacct Corp. - Powerful Accounting on the Web
408-395-0989
720 University Ave.
Los Gatos CA 95032
www.intacct.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDnCZ1oRBACFgkFCV6p3dWic1qm1FLhip5beIyzZSt+ccTDYQQdPZA/t5H+k
PZ7ZFBIUrXz/oEqwQwlEKlg8JQqg7hgtcL+xrIJ0BInLeSJG4lvvB551g59Thr7/
OsdxNVxKci775+K+GkdAz4xcULMuB+QE7t665Ri46EAS8ALos5UG6DGmhwCguD0v
1cxwy/KlKr+oi4sWM9caueED/RmjiSD3vmBZQt6PMisVe1AmkEf6cJoemduCSJxu
0eMz/LIeu+CqfpuJH2N/dZ3hRj9xMSHF4l71wKqV99zhm58kDGwG1u3yVzULPDqz
0yL+8nunlkoOUyn3zOnh3Zmz4POFVMZQ5oian3QkLllUwly5JCi5tWULxZ2vOkb0
zzjuA/4jigNxYV4NAyCl+wAbnyzk9/Iz8EHv4/0Ex8ytlcMtvBJKa9HjJxlyIl74
yOILHk3+GSAdM0b3ZmbavpoCpebinOMBhqEVBwCI4VUIAqf86gx+2dKBGxfKPnU4
Xxvqs/BOl/EbeJjyd4uieYndGRaWg+kYXqZ7SxrlFN24fohnd7QgSm9obiBEb25h
Z2hlciA8am9obkB3ZWJtZXRhLmNvbT6IVgQTEQIAFgUCOcJnWgQLCgQDAxUDAgMW
AgECF4AACgkQIt6tVu6+jd3SHwCgjssFktMXf8NjE9JBR+sJ2gDIsW8An0CFNdFd
dU+DJYC6ogYP9AsVfM27uQENBDnCZ2MQBAD8E0qe1gBKjtoRmyiyORtwhOz/2XZE
mqiZN2NouAUWRRZd4dHggFAA1jUsp2MVIZZQyY9ajNVy3Oaxj5kYz8LR5GItxxcD
jC8RFXKM40ZfTJeR7fH6eJa689w+le71Tt4ALyN4xcjSWuksr8795AhHFjonDi8D
rgGIq6GtWvi/KwADBgQAmeBbcjPzhqR2M8TdvEyNfVTQSSp/RNoTjNNWpHui8V0p
kiQ49tbsqeMjXGToGgMugfmrX77JidXyuVjgYjT9xUdaaA25qKAR75M9izDliT7Y
h5L+QZTAw0/5X9go7XK3WI3LYfFrp4TP0veXgSWxDqccqsRzWKW7IoXsliTCbVqI
RgQYEQIABgUCOcJnYwAKCRAi3q1W7r6N3YIcAKCkJMTPLu6tOPnXPl2s3xmnSawy
BACeOx83WlBhVScYWo+BUzntJ6ks4T0=
=OkJU
-----END PGP PUBLIC KEY BLOCK-----

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>