You are viewing a plain text version of this content. The canonical link for it is here.

Posted to repository@apache.org by Steve Loughran <st...@gmail.com> on 2009/09/02 12:59:21 UTC

any issues related to the people.apache.org attack

Looking at the people.apache.org writeup
https://blogs.apache.org/infra/entry/apache_org_downtime_report

I'm wondering if anyone could have got a malicious article into the
main or snapshot repositories. Did any artifacts turn up during the
day? Unsigned? It may be good to delete them

Re: any issues related to the people.apache.org attack

Posted by Steve Loughran <st...@gmail.com>.

On Wed, Sep 2, 2009 at 12:13 PM, Tony Stevenson<to...@pc-tony.com> wrote:
> Steve,
>
> As the article said, no Apache code or software was affected by this.  The
> attacker did not manage to elevate their privileges to be able to do this.

I know they didn't do the main repo, but as some of the snapshot stuff
is more open to people.apache.org, I was worried about that
specifically. Thank you for reassuring me

Re: any issues related to the people.apache.org attack

Posted by Tony Stevenson <to...@pc-tony.com>.

Steve,

As the article said, no Apache code or software was affected by this.   
The attacker did not manage to elevate their privileges to be able to  
do this.


Tony



On 2 Sep 2009, at 11:59, Steve Loughran wrote:

> Looking at the people.apache.org writeup
> https://blogs.apache.org/infra/entry/apache_org_downtime_report
>
> I'm wondering if anyone could have got a malicious article into the
> main or snapshot repositories. Did any artifacts turn up during the
> day? Unsigned? It may be good to delete them
>




Cheers,
Tony


--------------------------------------------
Tony Stevenson

tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk

http://blog.pc-tony.com

1024D/51047D66 ECAF DC55 C608 5E82 0B5E
3359 C9C7 924E 5104 7D66
--------------------------------------------

Re: any issues related to the people.apache.org attack

Posted by Steve Loughran <st...@gmail.com>.

>  The integrity protection of 524191 files requires an entirely
>  different mechanism than checking the integrity of some 500 files.


In hadoop every data server runs a thread continually doing CRC32
validation of blocks; this is how you protect your 4PB filesystem from
errors. Something could be done there
-store JARs in HAR archives to keep the file count low
-run MR jobs to generate the PGP keys
-compare with expected
-reduce: list all JARs that fail.

This only verifies the JARs in the Hadoop filesystem though...

Re: any issues related to the people.apache.org attack

Posted by "Henk P. Penning" <he...@cs.uu.nl>.

On Wed, 2 Sep 2009, Henk P. Penning wrote:

> Date: Wed, 2 Sep 2009 17:11:44 +0200 (CEST)
> From: Henk P. Penning <he...@cs.uu.nl>
> To: Carlos Sanchez <ca...@apache.org>
> Cc: repository@apache.org
> Subject: Re: any issues related to the people.apache.org attack
> 
> On Wed, 2 Sep 2009, Carlos Sanchez wrote:

>> BTW, I noticed the script only checks
>> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
>> should it be updated to check all /www/people.apache.org/repo/ ?
>> or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?

>  It appears it would be feasible to check last month's files in
>  /repo/m2-ibiblio-rsync-repository/ ; would that be useful ?

   Ok ; checks are now done on

     /www/people.apache.org/repo/m2-ibiblio-rsync-repository/

   Increasing the range didn't result in more problems.

   HPP

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/                 M penning@cs.uu.nl  \_/

Re: any issues related to the people.apache.org attack

Posted by "Henk P. Penning" <he...@cs.uu.nl>.

On Wed, 2 Sep 2009, Carlos Sanchez wrote:

> Date: Wed, 2 Sep 2009 16:27:46 +0200
> From: Carlos Sanchez <ca...@apache.org>
> To: repository@apache.org
> Cc: Henk P. Penning <he...@apache.org>
> Subject: Re: any issues related to the people.apache.org attack
> Sender: carlossg@gmail.com
> 
> I've got some sync mails (subject: [repo] /www/people.apache.org/repo/...)
>
> last gpg check using Henk script is from Aug 26 with 3 bad signatures
> from Wesley Wannemacher,
>   http://people.apache.org/~henkp/repo/
>
> BTW, I noticed the script only checks
> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
> should it be updated to check all /www/people.apache.org/repo/ ?
> or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?
>
> seems it checks just the last month, if timestamps are altered it may
> not detect it?

   True ; they go unnoticed.

   The rationale for checking only last month's files is that

   1. errors are not always corrected ; new 'errors' would
      disapear in the flood of 'old' uncorrected errors ; see

        http://people.apache.org/~henkp/repo/20080724.html

      it contains a check of the whole (org/apache/) tree at
      2008-07-24 ; I don't think many errors were corrected,
      but I may be wrong there.

   2. The repo is just too big ;
      /www/people.apache.org/repo/ contains 524191 files.
      /repo/m2-ibiblio-rsync-repository/ contains 104276 files.
      /repo/m2-ibiblio-rsync-repository/org/apache contains 103719 files,
      with 541 files younger than a month, based on timestamp.

   It appears it would be feasible to check last month's files in
   /repo/m2-ibiblio-rsync-repository/ ; would that be useful ?

   The integrity protection of 524191 files requires an entirely
   different mechanism than checking the integrity of some 500 files.

   Regards,

   Henk Penning

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/                 M penning@cs.uu.nl  \_/

Re: any issues related to the people.apache.org attack

Posted by Carlos Sanchez <ca...@apache.org>.

I've got some sync mails (subject: [repo] /www/people.apache.org/repo/...)

last gpg check using Henk script is from Aug 26 with 3 bad signatures
from Wesley Wannemacher,
   http://people.apache.org/~henkp/repo/

BTW, I noticed the script only checks
/www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache
should it be updated to check all /www/people.apache.org/repo/ ?
or at least /www/people.apache.org/repo/m2-ibiblio-rsync-repository/ ?

seems it checks just the last month, if timestamps are altered it may
not detect it?

On Wed, Sep 2, 2009 at 12:59 PM, Steve Loughran<st...@gmail.com> wrote:
> Looking at the people.apache.org writeup
> https://blogs.apache.org/infra/entry/apache_org_downtime_report
>
> I'm wondering if anyone could have got a malicious article into the
> main or snapshot repositories. Did any artifacts turn up during the
> day? Unsigned? It may be good to delete them
>