[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Community Pre-Beta Testing

On Mi Mai 13 2009, Tom "spot" Callaway wrote:
> On 05/13/2009 04:58 PM, Till Maas wrote:
> > Also I trust Bodhi, Koji and the Pkgdb more, because they are not
> > announced to
> >
> > be trustworthy by their developers. You wrote in the announcement:
> > | Please don't rely on this test instance for anything.
> So, to summarize, you're interpreting that as a statement of insecurity?
> Far from it. I meant it more as a statement of "there are bugs, some
> functionality doesn't work right".

No, this summary lacks the important fact that the password is not transfered 
via a secured connection. The problem that the application itself may have 
security vulnerabilities is only one reason, why it is not a good idea to test 
it with the real FAS passwords. Another reason I can think of, is that these 
passwords may be disclosed to the people that debug the tested application or 
that they are logged somewhere, because usually the logging on testing setups 
is more verbose than on stable ones. Even on the stable fedora wiki setup FAS 
passwords were logged by accident.


Attachment: signature.asc
Description: This is a digitally signed message part.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]