Sourceforge break-in and Python 2.1 security
Tim Peters
tim.one at home.com
Fri Jun 1 16:06:39 EDT 2001
[Andres Corrada-Emmanuel
> I've been reading the reports of the break-in into SourceForge with
> increasing alarm and I'm wondering if there is a security protocol in
> place that guarantees the integrity of the Python code being developed
> there.
Yes, with the US$500,000.00 seed money kindly contributed by the community,
we hired a battalion of guards to watch each byte 'round the clock <wink>.
> That is, should I worry that "Fluffy Bunny" claims that he broke into
> SourceForge 5 months ago and I downloaded Python 2.1 after that?
"Can", sure, "should" depends on whether you want a life. Any effective
change to the source code would have shown up on each developer's machine at
their next update, and most of us pay attention to which files have changed.
So even without particular effort, chances are good someone would have
caught a bogus change. Someone clever and knowledgable about Python
internals, who watched the Python checkin-list for a ripe opportunity, could
have snuck in a change related to a recent checkin that would escape casual
notice or even superficial scrutiny. But that would take some work and
nobody would be impressed -- on ego-bang for the buck, cracking Python is a
no-payback game.
"kewl!-i-cracked-a-system-with-no-security-at-all!"-ly y'rs - tim
More information about the Python-list
mailing list