|
»
Libpng GIT activity at SourceForge
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Libpng GIT activity at SourceForge
by Glenn Randers-Pehrson
::
Rate this Message:
The "git" activity at SourceForge seems to be picking up some steam.
There have been about 100 read transactions since the last commit. Couriously, there are several "devel write" transactions and a "devel read" transaction that were not by me, that occurred in the last 2 days. This hints at a possible security problem, although I don't see any actual changes to the repository, so maybe there is a simple explanation. Has anyone here, who has a sourceforge account, attempted to push something to the libpng repo in the last 2 days? If you've got a patch, please post it to this list or send it directly to me. Glenn ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ png-mng-implement mailing list png-mng-implement@... https://lists.sourceforge.net/lists/listinfo/png-mng-implement |
|
|
Re: Libpng GIT activity at SourceForge
by Bob Friesenhahn
::
Rate this Message:
On Sun, 25 Oct 2009, Glenn Randers-Pehrson wrote:
> The "git" activity at SourceForge seems to be picking up some steam. > There have been about 100 read transactions since the last > commit. It seems likely that 'ohloh' is responsible for most of the read transactions since you have three 'ohloh' enlistments pointed at it. Ohloh's scans produce a quite heavy read load, and they occur often. > Couriously, there are several "devel write" transactions and a > "devel read" transaction that were not by me, that occurred in > the last 2 days. This hints at a possible security problem, although > I don't see any actual changes to the repository, so maybe there > is a simple explanation. Perhaps this is something automated that SourceForge is doing. The 'ohloh' analysis is not seeing these write transactions and I am not seeing it via SF's Git web interface. If there was a security issue, it seems unlikely that SourceForge would inform its users of it (or know about it). SourceForge is huge and complex, so if it was exploited by a master hacker, the exploit could be unknown for years. It has been quite a long time since SourceForge notified projects about potential security issues. SourceForge almost has a monopoly on the open source world (e.g. SourceForge, Ohloh, FreshMeat, SlashDot, ThinkGeek, linux.com) and notifications about security issues would taint its appeal. SourceForge has not established any obligation to notify project authors of security exploits. If you do some poking around, you will see that these sites lead to several different (and inconsistent) "terms of use" statements, all of which commit you to various obligations to SourceForge if you access the sites, but none of which obligate SourceForget to do anything on your behalf. > Has anyone here, who has a sourceforge account, attempted > to push something to the libpng repo in the last 2 days? If > you've got a patch, please post it to this list or send it > directly to me. It seems that there are only two other people (Guy Schalnat and Andreas Dilger) who are supposed to be enabled to commit at SourceForge. However, SourceForge could run git tools in an automated fashion across the various projects for some sort of maintenance task. Bob -- Bob Friesenhahn bfriesen@..., http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ png-mng-implement mailing list png-mng-implement@... https://lists.sourceforge.net/lists/listinfo/png-mng-implement |
|
|
Re: Libpng GIT activity at SourceForge
by Glenn Randers-Pehrson
::
Rate this Message:
On Sun, Oct 25, 2009 at 1:10 PM, Bob Friesenhahn
<bfriesen@...> wrote: > On Sun, 25 Oct 2009, Glenn Randers-Pehrson wrote: > >> The "git" activity at SourceForge seems to be picking up some steam. >> There have been about 100 read transactions since the last >> commit. > > It seems likely that 'ohloh' is responsible for most of the read > transactions since you have three 'ohloh' enlistments pointed at it. > Ohloh's scans produce a quite heavy read load, and they occur often. Ohloh made 3 scans yesterday, so accounts for 3 anonymous read transactions only, and none of today's anonymous reads. >> Couriously, there are several "devel write" transactions and a >> "devel read" transaction that were not by me, that occurred in >> the last 2 days. This hints at a possible security problem, although >> I don't see any actual changes to the repository, so maybe there >> is a simple explanation. > > Perhaps this is something automated that SourceForge is doing. The > 'ohloh' analysis is not seeing these write transactions and I am not > seeing it via SF's Git web interface. If there was a security issue, > it seems unlikely that SourceForge would inform its users of it (or > know about it). SourceForge is huge and complex, so if it was > exploited by a master hacker, the exploit could be unknown for years. If this is a symptom of a security problem, I noticed it within hours, and reported it to SF. They have not answered. See https://sourceforge.net/apps/trac/sourceforge/ticket/5960 > It has been quite a long time since SourceForge notified projects > about potential security issues. Just last week SF answered two of my bug submissions. Both were about 8 years old, and the answer was that they were no longer relevant under the new file release management system. That's true, but they closed the bugs so I couldn't respond that I agreed. > > SourceForge almost has a monopoly on the open source world (e.g. > SourceForge, Ohloh, FreshMeat, SlashDot, ThinkGeek, linux.com) and > notifications about security issues would taint its appeal. > SourceForge has not established any obligation to notify project > authors of security exploits. If you do some poking around, you will > see that these sites lead to several different (and inconsistent) > "terms of use" statements, all of which commit you to various > obligations to SourceForge if you access the sites, but none of which > obligate SourceForget to do anything on your behalf. > >> Has anyone here, who has a sourceforge account, attempted >> to push something to the libpng repo in the last 2 days? If >> you've got a patch, please post it to this list or send it >> directly to me. > > It seems that there are only two other people (Guy Schalnat and > Andreas Dilger) who are supposed to be enabled to commit at > SourceForge. I made those commits on their behalf, using Brandon's "gitify" script. No one besides me is supposed to be able to commit to the libpng repository, and I expected that no one besides me would be able to affect the "devel read" and "devel write" statistics. Anyhow, the SF git stats seem to be counting "pushes" not "commits". If I make a half-dozen local commits over several days and then push to SF, that counts as one "write transaction" on the date of the "push". > However, SourceForge could run git tools in an automated > fashion across the various projects for some sort of maintenance task. IF that's so, I'd expect activity to show up in pmt/pngcrush as well, but it doesn't. Glenn ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ png-mng-implement mailing list png-mng-implement@... https://lists.sourceforge.net/lists/listinfo/png-mng-implement |
| Free embeddable forum powered by Nabble | Forum Help |
