[Fhsst-authors] Notice about FHSST

[Mark Horner]

Hi all,

I looked into the reason for the savannah server upgrade and the original 
explanation is below. Due to the CVS server problems could people just 
write their sections and email them to me. I had a CVS server running on 
hlt.phy.uct.ac.za a while back and I'll bring the repository up to date 
and teach everyone how to use it soon. In the meantime please try to write 
your sections in latex and just send them to me.

Here is that explanation:

On December 1st, 2003, we discovered that the "Savannah" system, which is 
maintained by the Free Software Foundation and provides CVS and 
development services to the GNU project and other Free Software projects, 
was compromised at circa November 2nd, 2003.

The compromise seems to be of the same nature as the recent attacks on 
Debian project servers; the attacker seemed to operate identically. 
However, this incident was distinctly different from the modus operandi we 
found in the attacks on our FTP server in August 2003. We have also 
confirmed that an unauthorized party gained root access and installed a 
root-kit ("SucKIT") on November 2nd, 2003.

In the interest of continuing cooperation and in helping to improve 
security for all essential Free Software infrastructure, and despite 
important philosophical differences, we are working closely with Debian 
project members to find the perpetrators and to secure essential Free 
Software infrastructure for the future. We hope to have future joint 
announcements that discuss a unified strategy for addressing these 
problems.

For the moment, we are installing replacement hardware for the Savannah 
system, and we will begin restoring the Savannah software this week. 
Initially, there will be some security related changes which may be 
inconvenient for our developers. We will try to ease these as we find 
secure ways to do so. We are in particular researching ways to ensure 
secured authentication of the source code trees stored on the system.

We will send more detailed announcements about efforts to verify the 
authenticity of the source code hosted on Savannah, and how the community 
can help in that effort once we've brought the system back online.

We hope to have at least minimal services back up by Friday 5 December 
2003. 

-- 
Mark Horner

UCT-CERN Research Centre
Physics Department
University of Cape Town
Rondebosch
7700
South Africa

Phone: +27 21 650 3366 (office)
Phone: +27 83 564 6272 (cellular)
Fax:   +27 21 650 3342
AIM:   marknewlyn

Homepage:
http://hep.phy.uct.ac.za/~horner

Co-author:
http://www.nongnu.org/fhsst
http://savannah.gnu.org/projects/fhsst

"It went well. There are no problems, and, as a bonus, it showed that I
have a brain!"
- Stormers and Springbok backrower CORNE KRIGE speaking after undergoing a
precautionary brain scan after a clash of heads during a Super 12 match.