Well... crap. I'm usually pretty good at noticing this sort of
thing, but missed it completely. I think that I have an inherent
trust issue here (i.e. I just automatically trusted that our site
would be secure). I wonder if I share that with others? I think we
need to put some more warnings on OrionHub to prevent others from
making this mistake.
I did start capturing instructions for this [1]. I think they're
still useful (and would apply to a local installation of Orion), so
I'll leave them up. I've added repeated warnings to "not do this".
Oh... and I changed my password :-(
Wayne
[1] http://wiki.eclipse.org/Git/Editing_your_Eclipse_project_Website_using_Orion
On 09/11/2012 11:48 AM, Denis Roy wrote:
On 09/10/2012 05:43 PM, Wayne Beaton wrote:
Actually... I'm thinking that we should probably use Orion.
Actually, I would very much prefer not.
Orion is still not release/production ready, and although I'm sure
the Orion team are doing the best they can, I can only assume that
at this point in the project's lifecycle, feature-completeness is
a higher priority than security. Since you'll be entering
(storing?) your eclipse.org committer credentials, any security
hole and/or exploit could lead us to a massive amount of pain --
website defacing, SSH access, root escalation.
Furthermore, OrionHub is not yet SSL-secured (we're slowly working
on it) so that makes matters even more dangerous.
At this time, do not enter/store your committer credentials in
OrionHub.
Thanks
_______________________________________________
phoenix-dev mailing list
phoenix-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/phoenix-dev
--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse
Projects
|