Fedora Community Pre-Beta Testing
Till Maas
opensource at till.name
Wed May 13 21:26:37 UTC 2009
On Mi Mai 13 2009, Tom "spot" Callaway wrote:
> On 05/13/2009 04:58 PM, Till Maas wrote:
> > Also I trust Bodhi, Koji and the Pkgdb more, because they are not
> > announced to
> >
> > be trustworthy by their developers. You wrote in the announcement:
> > | Please don't rely on this test instance for anything.
>
> So, to summarize, you're interpreting that as a statement of insecurity?
> Far from it. I meant it more as a statement of "there are bugs, some
> functionality doesn't work right".
No, this summary lacks the important fact that the password is not transfered
via a secured connection. The problem that the application itself may have
security vulnerabilities is only one reason, why it is not a good idea to test
it with the real FAS passwords. Another reason I can think of, is that these
passwords may be disclosed to the people that debug the tested application or
that they are logged somewhere, because usually the logging on testing setups
is more verbose than on stable ones. Even on the stable fedora wiki setup FAS
passwords were logged by accident.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090513/2af10974/attachment.sig>
More information about the fedora-devel-list
mailing list