You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Steve Loughran <st...@gmail.com> on 2009/09/02 12:59:21 UTC
any issues related to the people.apache.org attack
Looking at the people.apache.org writeup
https://blogs.apache.org/infra/entry/apache_org_downtime_report
I'm wondering if anyone could have got a malicious article into the
main or snapshot repositories. Did any artifacts turn up during the
day? Unsigned? It may be good to delete them
Re: any issues related to the people.apache.org attack
Posted by Steve Loughran <st...@gmail.com>.
On Wed, Sep 2, 2009 at 12:13 PM, Tony Stevenson<to...@pc-tony.com> wrote:
> Steve,
>
> As the article said, no Apache code or software was affected by this. The
> attacker did not manage to elevate their privileges to be able to do this.
I know they didn't do the main repo, but as some of the snapshot stuff
is more open to people.apache.org, I was worried about that
specifically. Thank you for reassuring me
Re: any issues related to the people.apache.org attack
Posted by Tony Stevenson <to...@pc-tony.com>.
Steve,
As the article said, no Apache code or software was affected by this.
The attacker did not manage to elevate their privileges to be able to
do this.
Tony
On 2 Sep 2009, at 11:59, Steve Loughran wrote:
> Looking at the people.apache.org writeup
> https://blogs.apache.org/infra/entry/apache_org_downtime_report
>
> I'm wondering if anyone could have got a malicious article into the
> main or snapshot repositories. Did any artifacts turn up during the
> day? Unsigned? It may be good to delete them
>
Cheers,
Tony
--------------------------------------------
Tony Stevenson
tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk
http://blog.pc-tony.com
1024D/51047D66 ECAF DC55 C608 5E82 0B5E
3359 C9C7 924E 5104 7D66
--------------------------------------------
Re: any issues related to the people.apache.org attack
Posted by Steve Loughran <st...@gmail.com>.
> The integrity protection of 524191 files requires an entirely
> different mechanism than checking the integrity of some 500 files.
In hadoop every data server runs a thread continually doing CRC32
validation of blocks; this is how you protect your 4PB filesystem from
errors. Something could be done there
-store JARs in HAR archives to keep the file count low
-run MR jobs to generate the PGP keys
-compare with expected
-reduce: list all JARs that fail.
This only verifies the JARs in the Hadoop filesystem though...
Re: any issues related to the people.apache.org attack
Posted by "Henk P. Penning" <he...@cs.uu.nl>.
On Wed, 2 Sep 2009, Henk P. Penning wrote:
> Date: Wed, 2 Sep 2009 17:11:44 +0200 (CEST)
> From: Henk P. Penning <he...@cs.uu.nl>
> To: Carlos Sanchez <ca...@apache.org>
> Cc: repository@apache.org
> Subject: Re: any issues related to the people.apache.org attack
>
> On Wed, 2 Sep 2009, Carlos Sanchez wrote:
>> BTW, I noticed the script only checks
>> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
>> should it be updated to check all /www/people.apache.org/repo/ ?
>> or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?
> It appears it would be feasible to check last month's files in
> /repo/m2-ibiblio-rsync-repository/ ; would that be useful ?
Ok ; checks are now done on
/www/people.apache.org/repo/m2-ibiblio-rsync-repository/
Increasing the range didn't result in more problems.
HPP
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@cs.uu.nl \_/
Re: any issues related to the people.apache.org attack
Posted by "Henk P. Penning" <he...@cs.uu.nl>.
On Wed, 2 Sep 2009, Carlos Sanchez wrote:
> Date: Wed, 2 Sep 2009 16:27:46 +0200
> From: Carlos Sanchez <ca...@apache.org>
> To: repository@apache.org
> Cc: Henk P. Penning <he...@apache.org>
> Subject: Re: any issues related to the people.apache.org attack
> Sender: carlossg@gmail.com
>
> I've got some sync mails (subject: [repo] /www/people.apache.org/repo/...)
>
> last gpg check using Henk script is from Aug 26 with 3 bad signatures
> from Wesley Wannemacher,
> http://people.apache.org/~henkp/repo/
>
> BTW, I noticed the script only checks
> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
> should it be updated to check all /www/people.apache.org/repo/ ?
> or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?
>
> seems it checks just the last month, if timestamps are altered it may
> not detect it?
True ; they go unnoticed.
The rationale for checking only last month's files is that
1. errors are not always corrected ; new 'errors' would
disapear in the flood of 'old' uncorrected errors ; see
http://people.apache.org/~henkp/repo/20080724.html
it contains a check of the whole (org/apache/) tree at
2008-07-24 ; I don't think many errors were corrected,
but I may be wrong there.
2. The repo is just too big ;
/www/people.apache.org/repo/ contains 524191 files.
/repo/m2-ibiblio-rsync-repository/ contains 104276 files.
/repo/m2-ibiblio-rsync-repository/org/apache contains 103719 files,
with 541 files younger than a month, based on timestamp.
It appears it would be feasible to check last month's files in
/repo/m2-ibiblio-rsync-repository/ ; would that be useful ?
The integrity protection of 524191 files requires an entirely
different mechanism than checking the integrity of some 500 files.
Regards,
Henk Penning
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@cs.uu.nl \_/
Re: any issues related to the people.apache.org attack
Posted by Carlos Sanchez <ca...@apache.org>.
I've got some sync mails (subject: [repo] /www/people.apache.org/repo/...)
last gpg check using Henk script is from Aug 26 with 3 bad signatures
from Wesley Wannemacher,
http://people.apache.org/~henkp/repo/
BTW, I noticed the script only checks
/www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
should it be updated to check all /www/people.apache.org/repo/ ?
or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?
seems it checks just the last month, if timestamps are altered it may
not detect it?
On Wed, Sep 2, 2009 at 12:59 PM, Steve Loughran<st...@gmail.com> wrote:
> Looking at the people.apache.org writeup
> https://blogs.apache.org/infra/entry/apache_org_downtime_report
>
> I'm wondering if anyone could have got a malicious article into the
> main or snapshot repositories. Did any artifacts turn up during the
> day? Unsigned? It may be good to delete them
>