[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Community Pre-Beta Testing



Till Maas wrote:
> No, this summary lacks the important fact that the password is not transfered 
> via a secured connection. The problem that the application itself may have 
> security vulnerabilities is only one reason, why it is not a good idea to test 
> it with the real FAS passwords. Another reason I can think of, is that these 
> passwords may be disclosed to the people that debug the tested application or 
> that they are logged somewhere, because usually the logging on testing setups 
> is more verbose than on stable ones. Even on the stable fedora wiki setup FAS 
> passwords were logged by accident.
> 
After discussion with mmcgrath, lmacken, and spot we've decided that to
mitigate this, we're going to get the Fedora Community application into
the staging environment.  The staging environment closely mirrors the
production environment, has a valid SSL certificate, and authenticates
against a test FAS instance that is populated with production data but
can diverge (ie, you can change your password in the staging FAS so you
do not have to use your real FAS password with the staging environment).

However, there are a lot of packages that make up Fedora Community and
several core pieces that we are not presently running in production.  So
it may be a while before we get the necessary packages through Fedora
review, installed, configured in puppet, decided on secure
configurations, and setup in the staging environment.

-Toshio

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]