You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Jonathan Kamens <jo...@tamalesoftware.com> on 2008/06/05 18:46:37 UTC
CONTRIB: CGI script for self-administering passwords in svnserve passwd files
Greetings,
Several months ago, I submitted to this list a CGI script to allow users
to change their own passwords in svnserve passwd files, and suggested
that the script be distributed in the Subversion contrib. area. Several
developers reviewed my code and provided extremely useful feedback,
which I incorporated.
David Glasser subsequently offered to sponsor me for partial commit
access so I could add the script to the contrib. area, but he said that
he preferred for someone else to do a security audit before doing so.
He sent email to the list twice about this, the most recent time being
on April 9, asking for a volunteer to do the security audit, but I've
seen no responses.
I've written the code. I want to give it away. It just needs somebody
to review it. Please, somebody help me out here. :-)
See attached for the current version of the script.
Thanks,
Jonathan Kamens
Operations Manager / Principal Engineer
Tamale Software
201 South Street, Floor 3
Boston, MA 02211
(617) 261-0264 ext. 133
Re: CONTRIB: CGI script for self-administering passwords in svnserve passwd files
Posted by Karl Fogel <kf...@red-bean.com>.
Karl Fogel <kf...@red-bean.com> writes:
> I say check it in to contrib/. The way to find bugs is to ship :-).
Further conversation in IRC tilted me toward a middle position: Can you
ship it yourself (that is, put it up on the web somewhere), and we'll
link to it from http://subversion.tigris.org/links.html?
I think the problem is that even though contrib/ doesn't officially mean
any endorsement or support, some endorsement is still implied, and
unfortunately it's hard for us to review this -- in part because it's in
Perl (not a slur on Perl, I'm just observing that reviewers are not
stepping out of the woodwork, and hypothesizing that that's because we
don't have too many Perl programmers here). I myself do not feel
competent to review it; my Perl is too rusty at this point. And David
Glasser's cursory review did find some holes before, so we know it's a
possibility.
We do want people to be able to find the script, though. Listing it on
links.html is a good way to do that.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: CONTRIB: CGI script for self-administering passwords in svnserve passwd files
Posted by Karl Fogel <kf...@red-bean.com>.
"C. Michael Pilato" <cm...@collab.net> writes:
> Hrm. It *is* pretty bad when you can't even perform an act of
> goodwill without hassle.
>
> That this is would be a contrib/ script implies that it is not
> community maintained, so I don't see any problem with letting you
> contribute the thing. All the software in our repository -- from
> Subversion itself to its tests to the tools and contributions -- are
> "Use at your own risk". Some of that risk might be mitigated by
> virtue of having extra eyeballs on pieces of the code, but it's still
> a risk to anybody who doesn't have full knowledge and understanding of
> the entirety of our codebase. (Which is pretty much everyone in the
> world, myself included.)
>
> glasser: Would you feel better about it if the script failed with:
>
> ERROR: Only one person is known to have reviewed this script for
> security consciousness. If you're down with that, please comment out
> this error message.
>
> ?
I say check it in to contrib/. The way to find bugs is to ship :-).
(only half in jest),
-Karl
> Jonathan Kamens wrote:
>> Greetings,
>>
>> Several months ago, I submitted to this list a CGI script to allow
>> users to change their own passwords in svnserve passwd files, and
>> suggested that the script be distributed in the Subversion
>> contrib. area. Several developers reviewed my code and provided
>> extremely useful feedback, which I incorporated.
>>
>> David Glasser subsequently offered to sponsor me for partial commit
>> access so I could add the script to the contrib. area, but he said
>> that he preferred for someone else to do a security audit before
>> doing so. He sent email to the list twice about this, the most
>> recent time being on April 9, asking for a volunteer to do the
>> security audit, but I’ve seen no responses.
>>
>> I’ve written the code. I want to give it away. It just needs
>> somebody to review it. Please, somebody help me out here. :-)
>>
>> See attached for the current version of the script.
>>
>> Thanks,
>>
>> *Jonathan Kamens*
>> *Operations Manager / Principal Engineer***
>> *Tamale Software*
>> 201 South Street, Floor 3
>> Boston, MA 02211
>> (617) 261-0264 ext. 133
>
> --
> C. Michael Pilato <cm...@collab.net>
> CollabNet <> www.collab.net <> Distributed Development On Demand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: CONTRIB: CGI script for self-administering passwords in svnserve
passwd files
Posted by "C. Michael Pilato" <cm...@collab.net>.
Hrm. It *is* pretty bad when you can't even perform an act of goodwill
without hassle.
That this is would be a contrib/ script implies that it is not community
maintained, so I don't see any problem with letting you contribute the
thing. All the software in our repository -- from Subversion itself to its
tests to the tools and contributions -- are "Use at your own risk". Some of
that risk might be mitigated by virtue of having extra eyeballs on pieces of
the code, but it's still a risk to anybody who doesn't have full knowledge
and understanding of the entirety of our codebase. (Which is pretty much
everyone in the world, myself included.)
glasser: Would you feel better about it if the script failed with:
ERROR: Only one person is known to have reviewed this script for
security consciousness. If you're down with that, please comment out
this error message.
?
Jonathan Kamens wrote:
> Greetings,
>
> Several months ago, I submitted to this list a CGI script to allow users
> to change their own passwords in svnserve passwd files, and suggested
> that the script be distributed in the Subversion contrib. area. Several
> developers reviewed my code and provided extremely useful feedback,
> which I incorporated.
>
> David Glasser subsequently offered to sponsor me for partial commit
> access so I could add the script to the contrib. area, but he said that
> he preferred for someone else to do a security audit before doing so.
> He sent email to the list twice about this, the most recent time being
> on April 9, asking for a volunteer to do the security audit, but I’ve
> seen no responses.
>
> I’ve written the code. I want to give it away. It just needs somebody
> to review it. Please, somebody help me out here. :-)
>
> See attached for the current version of the script.
>
> Thanks,
>
> *Jonathan Kamens*
> *Operations Manager / Principal Engineer***
> *Tamale Software*
> 201 South Street, Floor 3
> Boston, MA 02211
> (617) 261-0264 ext. 133
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand