On Mi Mai 13 2009, Tom "spot" Callaway wrote: > On 05/13/2009 04:58 PM, Till Maas wrote: > > Also I trust Bodhi, Koji and the Pkgdb more, because they are not > > announced to > > > > be trustworthy by their developers. You wrote in the announcement: > > | Please don't rely on this test instance for anything. > > So, to summarize, you're interpreting that as a statement of insecurity? > Far from it. I meant it more as a statement of "there are bugs, some > functionality doesn't work right". No, this summary lacks the important fact that the password is not transfered via a secured connection. The problem that the application itself may have security vulnerabilities is only one reason, why it is not a good idea to test it with the real FAS passwords. Another reason I can think of, is that these passwords may be disclosed to the people that debug the tested application or that they are logged somewhere, because usually the logging on testing setups is more verbose than on stable ones. Even on the stable fedora wiki setup FAS passwords were logged by accident. Regards Till
Description: This is a digitally signed message part.