request for gcc web page maintainers

request for gcc web page maintainers

[Christopher Faylor]

If there is a page somewhere in gcc which implies that the right way to
gain access to the gcc repository is to fill out the form at
http://sources.redhat.com, could it be changed to just have people send
email to overseers, instead?  Obfuscating, the overseers address would
probably be nice if this is done.  I've been doing this by either using
a .png version of the '@' symbol or by using .png version of the actual
email address.

cgf

Re: request for gcc web page maintainers

[Gerald Pfeifer]

On Thu, 15 May 2003, Christopher Faylor wrote:
> If there is a page somewhere in gcc which implies that the right way to
> gain access to the gcc repository is to fill out the form at
> http://sources.redhat.com, could it be changed to just have people send
> email to overseers, instead?

Really? But how should the approval process work in that case? Should
the sponsor send mail to overseers or just be Cc:ed and then confirm?
(None of this is really save, for Cc:s can be trivially faked.)

Let me know, and I'll update http://gcc.gnu.org/cvswrite.html (or, of
course, feel free to update that page however you see fit).

> Obfuscating, the overseers address would probably be nice if this is
> done.  I've been doing this by either using a .png version of the '@'
> symbol or by using .png version of the actual email address.

Ouch.  This is a killer for the blind and visually handicapped.

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: request for gcc web page maintainers

[Christopher Faylor]

On Fri, May 23, 2003 at 12:28:24AM +0200, Gerald Pfeifer wrote:
>On Thu, 15 May 2003, Christopher Faylor wrote:
>> If there is a page somewhere in gcc which implies that the right way to
>> gain access to the gcc repository is to fill out the form at
>> http://sources.redhat.com, could it be changed to just have people send
>> email to overseers, instead?
>
>Really? But how should the approval process work in that case? Should
>the sponsor send mail to overseers or just be Cc:ed and then confirm?
>(None of this is really save, for Cc:s can be trivially faked.)

It's much harder to fake mail than it is to type an address into a web
page.  There's no security in the web page at all.

However, the bottom line is that the process doesn't work the way it
is apparently advertised to be working.  People fill out the assignment
form and it's up to me to guess what they want.  Email would be clearer
in this case unless someone wants to change the form.

>Let me know, and I'll update http://gcc.gnu.org/cvswrite.html (or, of
>course, feel free to update that page however you see fit).
>
>>Obfuscating, the overseers address would probably be nice if this is
>>done.  I've been doing this by either using a .png version of the '@'
>>symbol or by using .png version of the actual email address.
>
>Ouch.  This is a killer for the blind and visually handicapped.

I was just trying to avoid getting spam here.  Wouldn't it be obvious from
context that an email address was being mentioned, even if the '@' was
missing for some reason?

cgf

Re: request for gcc web page maintainers

[Gerald Pfeifer]

On Fri, 23 May 2003, Christopher Faylor wrote:
> It's much harder to fake mail than it is to type an address into a web
> page.  There's no security in the web page at all.

The current web page is quote safe.  The applicant only provides the
mail address of the approver which then is sent a URL with a cookie.

That way, if you see "Approved: gerald@pfeifer.com" you can be
sufficiently sure that it was me who approved the account, because a
malicious user can easily spoof mail from me, but he can hardly intercept
mail gcc.gnu.org send _to_ me and thus doesn't know the secret.

> However, the bottom line is that the process doesn't work the way it
> is apparently advertised to be working.

Well, _that's_ a good point. Unless someone steps forward to update the
form, I'm thus going to install the patch below.

> I was just trying to avoid getting spam here.  Wouldn't it be obvious
> from context that an email address was being mentioned, even if the '@'
> was missing for some reason?

I just did that in the patch below. ;-)

Gerald

Index: cvswrite.html
===================================================================
RCS file: /cvs/gcc/wwwdocs/htdocs/cvswrite.html,v
retrieving revision 1.54
diff -u -3 -p -r1.54 cvswrite.html
--- cvswrite.html	21 May 2003 00:12:50 -0000	1.54
+++ cvswrite.html	23 May 2003 16:44:55 -0000
@@ -31,12 +31,8 @@ href="bugs/management.html">edit our bug
 <h2><a name="authenticated">Authenticated access</a></h2>

 <p>Authenticated access is provided via the SSH protocol. Please
-provide us with your public key, which you can generate via the
-<code>ssh-keygen</code> program.  This will store your public key in
-the file <code>.ssh/identity.pub</code> in your home directory.
-Please use <a
-href="http://sources.redhat.com/cgi-bin/pdw/ps_form.cgi">this form</a>
-to supply the file and your other details.</p>
+provide <code>overseers (at) gcc.gnu.org</code> with your SSH public key
+which you can generate via the <code>ssh-keygen</code> program.</p>

 <p>Once we have this information we will set up an account on
 <code>gcc.gnu.org</code> and inform you by mail.  At this point you

Re: request for gcc web page maintainers

[Christopher Faylor]

On Fri, May 23, 2003 at 06:49:12PM +0200, Gerald Pfeifer wrote:
>On Fri, 23 May 2003, Christopher Faylor wrote:
>> It's much harder to fake mail than it is to type an address into a web
>> page.  There's no security in the web page at all.
>
>The current web page is quote safe.  The applicant only provides the
>mail address of the approver which then is sent a URL with a cookie.
>
>That way, if you see "Approved: gerald@pfeifer.com" you can be
>sufficiently sure that it was me who approved the account, because a
>malicious user can easily spoof mail from me, but he can hardly intercept
>mail gcc.gnu.org send _to_ me and thus doesn't know the secret.

All you have to do is monitor the queue or overseers and then anyone can
fill in the approved line.  Since the email goes to overseers in either
case, I don't see how the web based case is more secure.

>> However, the bottom line is that the process doesn't work the way it
>> is apparently advertised to be working.
>
>Well, _that's_ a good point. Unless someone steps forward to update the
>form, I'm thus going to install the patch below.
>
>> I was just trying to avoid getting spam here.  Wouldn't it be obvious
>> from context that an email address was being mentioned, even if the '@'
>> was missing for some reason?
>
>I just did that in the patch below. ;-)

Wait.  I obviously wasn't clear in my request.  I wasn't saying that all
requests should be via email, just the ones from people who either already
have accounts on sources.redhat.com or who need to have their keys changed.

For instance, we sometimes get someone who has been contributing to binutils
requesting access to gcc.gnu.org.  Filling out the web form doesn't do anything
since they already have an account.  I'd just prefer that they send an email
saying "I already have an account, I just need to be activated for gcc and
Gerald Pfeifer says it's ok."

So, I'd suggest something like:

<p>Authenticated access is provided via the SSH protocol. Please
provide us with your public key, which you can generate via the
<code>ssh-keygen</code> program.  This will store your public key in
the file <code>.ssh/identity.pub</code> in your home directory.
<p>If you already have an account on sources.redhat.com, please send
an email message to overseers (at) sources.redhat.com with a request
to be given access to the gcc repository.  Include the name of the
person who is sponsoring your access.</p>
<p>If you do not already have an account on sources.redhat.com,
please use <a href="http://sources.redhat.com/cgi-bin/pdw/ps_form.cgi">
this form</a> to supply the file and your other details.</p> provide
<code>overseers (at) gcc.gnu.org</code> with your SSH public key which
you can generate via the <code>ssh-keygen</code> program.</p>

cgf

Re: request for gcc web page maintainers

[Gerald Pfeifer]

On Fri, 23 May 2003, Christopher Faylor wrote:
>> That way, if you see "Approved: gerald@pfeifer.com" you can be
>> sufficiently sure that it was me who approved the account, because a
>> malicious user can easily spoof mail from me, but he can hardly intercept
>> mail gcc.gnu.org send _to_ me and thus doesn't know the secret.
> All you have to do is monitor the queue or overseers and then anyone can
> fill in the approved line.  Since the email goes to overseers in either
> case, I don't see how the web based case is more secure.

So it doesn't send a specific cookie just to the (intended) approver?
That'd be a design bug in an otherwise decent protocol.

> So, I'd suggest something like:

I see.  So I committed the following updated patch:

  http://gcc.gnu.org/ml/gcc-patches/2003-05/msg02163.html

If you'd like to see further changes, just let me know.

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: request for gcc web page maintainers

[Christopher Faylor]

On Sun, May 25, 2003 at 02:39:30AM +0200, Gerald Pfeifer wrote:
>On Fri, 23 May 2003, Christopher Faylor wrote:
>>> That way, if you see "Approved: gerald@pfeifer.com" you can be
>>> sufficiently sure that it was me who approved the account, because a
>>> malicious user can easily spoof mail from me, but he can hardly intercept
>>> mail gcc.gnu.org send _to_ me and thus doesn't know the secret.
>> All you have to do is monitor the queue or overseers and then anyone can
>> fill in the approved line.  Since the email goes to overseers in either
>> case, I don't see how the web based case is more secure.
>
>So it doesn't send a specific cookie just to the (intended) approver?
>That'd be a design bug in an otherwise decent protocol.

It sends a message but there is nothing special about it.  The web form
was sort of a proof of concept and really needs more work.

>> So, I'd suggest something like:
>
>I see.  So I committed the following updated patch:
>
>  http://gcc.gnu.org/ml/gcc-patches/2003-05/msg02163.html
>
>If you'd like to see further changes, just let me know.

That's perfect, thanks.

cgf