Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [phoenix-dev] move community and home page to git

Well... crap. I'm usually pretty good at noticing this sort of thing, but missed it completely. I think that I have an inherent trust issue here (i.e. I just automatically trusted that our site would be secure). I wonder if I share that with others? I think we need to put some more warnings on OrionHub to prevent others from making this mistake.

I did start capturing instructions for this [1]. I think they're still useful (and would apply to a local installation of Orion), so I'll leave them up. I've added repeated warnings to "not do this".

Oh... and I changed my password :-(

Wayne

[1] http://wiki.eclipse.org/Git/Editing_your_Eclipse_project_Website_using_Orion

On 09/11/2012 11:48 AM, Denis Roy wrote:
On 09/10/2012 05:43 PM, Wayne Beaton wrote:
Actually... I'm thinking that we should probably use Orion.

Actually, I would very much prefer not.

Orion is still not release/production ready, and although I'm sure the Orion team are doing the best they can, I can only assume that at this point in the project's lifecycle, feature-completeness is a higher priority than security.  Since you'll be entering (storing?) your eclipse.org committer credentials, any security hole and/or exploit could lead us to a massive amount of pain -- website defacing, SSH access, root escalation.

Furthermore, OrionHub is not yet SSL-secured (we're slowly working on it) so that makes matters even more dangerous.

At this time, do not enter/store your committer credentials in OrionHub.

Thanks
_______________________________________________ phoenix-dev mailing list phoenix-dev@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/phoenix-dev

--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse Projects

Back to the top