[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ff3d-users] Fwd: Status of savannah.{gnu,nongnu}.org

From: Stephane Del Pino
Subject: [ff3d-users] Fwd: Status of savannah.{gnu,nongnu}.org
Date: Tue, 23 Dec 2003 11:37:29 +0100
User-agent: KMail/1.5.4

Hash: SHA1

Dear ff3d's users.

- ---------
As you may have noticed savannah's services were troubled due to a malicious 
attack of many free software project site.

Thank to the efforts of the savannah's team it is up again!
This announce is provided here as an attachement.

To improve security many changed have been or will be performed.
People using anonymous cvs will have to read the paragraph 2.

If one gets any trouble I think it would be better to submit it here on 
address@hidden, since savannah's administrators still have a lot of 

- -----
Thanks to this, I will be able to commit very soon a lot of changes that were 
made in ff3d:
- - lots of code design improvements which leads to the following
- - integration of EFDM and FEM is done: automatic mesher call and degrees of
  freedom computation is performed
- - "simplification" of the boundary description
- - Standard FEM is know completly implemented. P1 (tetrahedra) and Q1
  (hexahedra) elements are both implemented. First tests I made shown that
  Dirichlet conditions should work in both cases but Neumann and Robin give
  strange results. I will try to fix it before I commit it.
- - And of course some bug fix.

In order to have a complete standard FEM solver the following are still 
- - interpolation on unstructured grids (nearly implemented for P1, maybe never
  for Q1), and
- - characteristic method for convection term like in Navier-Stokes, which is
  not started.
- - mesh generation tools: two remarks there.
  1) no automatic 3d mesh generator will be available in ff3d while the
     surface mesher is buggy. Generated mesh may contain holes! This is not a
     problem for EFDM since holes are *very* small, but this prevents from 3d
  2) I have made some very promising experiments using tetgen
     (http://tetgen.berlios.de), thanks to Lichun Zhu for the link. This tool
     provides output in the INRIA's mesh format which is read by ff3d.
     Moreover, since tetgen can be used as a library, integration of it in
     ff3d will be possible.

I am still working on the documentation and fixed lots of typos. On going work 
is providing more examples. Developping 1 or 2 paragraphs which do not seem 
that clear and finally hading a section describing more precisely what does 
the code. And had standard FEM usage of ff3d [which is quite close from 

I know that version 1 is late. The main reasons are the following. First a 
very malicious bug where found by october and second feature freeze period 
was respected since one of my boss asked for unstructured solver.

Wow that was quite long,
thanks for using ff3d and Merry Christmas to every one,
Version: GnuPG v1.2.3 (GNU/Linux)

--- Begin Message --- Subject: Status of savannah.{gnu,nongnu}.org Date: Tue, 23 Dec 2003 01:03:20 -0500
Hash: SHA1

                                         Monday 22 December 2003, 19:51 EST

Dear Savannah Users,

As you know, savannah.gnu.org and savannah.nongnu.org have been down for a
number of weeks due to a system crack.  Thanks to the contributions of
many people -- most notably Mathieu Roy, Jim Blair, and Paul Fisher -- the
system is working again for existing projects.

We have implemented a new security infrastructure that uses chroot'ed
environments to isolate each project.  We have of course tightened up
security, but even if that tightened security is compromised for a
particular project, the cracker can most likely only impact that one
project.  Please read this whole statement in detail before beginning work

As part of the security changes, there are nine user-visible changes of
particular interest.  Six of those changes are implemented now (three of
which are temporary), and two will be implemented later.  They are as

   (0) All passwords were invalidated.  You will need use the "Lost
       Password" option to regain access.  (Click on "Login via SSL" and
       then the "[Lost Password?]" link.)  Expect an email shortly once
       you've clicked that link.  If you do not receive the email within a
       very short time period to the address you had on file with your
       account, please write to <address@hidden>.

       Once you have access again, please check the developer and
       administrator lists for all your projects, and be sure that you
       recognize all the email addresses and user accounts attached to
       your projects.  It is up to each user to vigilantly check the other
       authorized users, just as it was to check the integrity of your

   (1) All authorized SSH keys have been removed from the database.  Once
       your account is reactivated, you must again upload your SSH key.
       We now only accept SSHv2 keys.  Although the web interface will
       allow you to upload SSHv1 keys, they will not function to give you
       access.  Only SSHv2 keys will provide access and savannah will only
       accept SSHv2 connections.

   (2) Anonymous CVS access will continue, but pserver access has been
       discontinued.  We realize that many have become accustomed to this
       form of anonymous access, but we found many security problems in
       pserver and we must avoid it.  Anonymous access can now occur via
       SSHv2.  To do so, use the following CVSROOT:


       So, for example, to get an anonymous checkout of the GNU Emacs
       sources, you would run the following on the bash command line:

              export CVS_RSH="ssh"
              cvs -d :ext:address@hidden:/cvsroot/emacs co emacs

       The first time you do this, you will be prompted by SSH to
       authenticate the server's key fingerprint.  See (3) below for

       Note that since only SSHv2 is accepted, you must be sure that your
       ~/.ssh/config does indicate use of "Protocol 1" with
       savannah.gnu.org and savannah.nongnu.org.

       If you are absolutely unable to use this method for anonymous
       access, and you rely on anonymous access, please contact
       <address@hidden>.  Since SSH is now ubiquitously
       available on Free Software systems, we believe that requiring SSH
       to be installed locally to gain anonymous access from savannah is
       not burdensome.  If it turns out to burden you, please contact us.

       In fact, this new method authenticates and secures all anonymous
       access, and anonymous users are now safe from person-in-the-middle
       attacks when they verify the SSH host keys.

   (3) The host SSH keys for savannah.gnu.org, savannah.nongnu.org,
       subversions.gnu.org, etc. have changed.  They are as follows:

           DSA 1024 4d:c8:dc:9a:99:96:ae:cc:ce:d3:2b:b0:a3:a4:95:a5
           RSA 1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5

       You will prompted for these the first time you use SSH to connect.
       If you have older keys stored in your known_hosts file, you may get
       a message that says there is a "nasty problem".  If so, remove the
       offending entry from your ~/.ssh/known_hosts, and reconnect.  SSH
       will prompt you to authenticate anew with one of the keys above.

   (4) Temporarily, we are unable to approve new projects on savannah.  We
       expect to begin accepting new projects before the end of January
       2004.  We have to reimplement project creation scripts to adhere to
       the new chroot structure.

   (5) Temporarily, the file distribution areas for releases are not
       functioning.  We hope to make them functional again in January 2004
       and secure them by using a similar system to that now used on

   (6) Temporarily, all web CVS trees are not functioning.  It is
       currently not possible to work on the CVS trees for websites using
       savannah.  We hope to fix this in mid-January 2004.

   (7) In early January 2004, we will record for each project whether or
       not the developers have checked their integrity using the data in
       previously-posted announcements.  The indicator will be similar to
       the "is GNU"/"is not GNU" indicator on the main project page.

   (8) You will later be required to upload a GnuPG key.  We are working
       on changes that will require GPG-signing of all CVS commits.  That
       functionality is not yet available, but when it is, we plan to
       make it mandatory to ensure the integrity of all software hosted
       on Savannah.

Finally, I want to thank all of your for your patience while we worked to
resolve these problems.  I know that many of you have been considering for
the past few weeks switching to another project development site.  I don't
blame you for considering that.  However, I ask now that you decide to
stay.  We have learned from this experience how to harden the system to be
less susceptible to cracking, and the changes we've made will not only
help to prevent future cracks, but will mitigate the damage such a crack
can cause.  The GPG-signing features that we plan to add in the coming
months will (at least at first) be unique among project hosting sites, and
ensure the integrity of your software to the greatest degree that is
humanly possible.

Meanwhile, Loic Dachary has coordinated the acquisition of new, redundant
servers in France, and we will work over the coming months to make them
(at first) read-only mirrors of the existing savannah (that can be turned
immediately live upon the occurrence of the crack).  In addition, as
Executive Director of FSF, I am committed to implementing protocols and
procedures over the next few months designed to limit downtime to a matter
of hours in the case of a crack.

This crack comes on the heels of cracks against many other Free Software
project sites; the crack of savannah is not an isolated incident.  We must
work together as a community to weather these incidents.  For our part,
this meant long hours and late nights over the past weeks to harden the
system, and more hard work to improve our disaster recovery plans.  We ask
that you make a contribution by sticking with us now that we've hardened
the system and work with us to keep the system secure for Free development
and software sharing.


Bradley M. Kuhn
Executive Director, Free Software Foundation

Version: GnuPG v1.2.1 (GNU/Linux)


--- End Message ---

reply via email to

[Prev in Thread] Current Thread [Next in Thread]