On Fri, Sep 6, 2019 at 7:58 AM Michael Scherer <mscherer@xxxxxxxxxx> wrote: > Le jeudi 05 septembre 2019 à 08:09 -0400, Paul Frields a écrit : > > Off the top of my head... > > > > On Thu, Sep 5, 2019 at 7:43 AM Michael Scherer <mscherer@xxxxxxxxxx> > > wrote: > > > If so, where should it be stored, the goal being just to avoid > > > automated scanning (so I was think some easy passwords in the doc, > > > since the goal is just to prevent potential automated attacks) ? > > > > > > > Not sure what you mean here -- you mean put the passwords in a doc > > somewhere? > > Yup, I know that best practice is to encrypt etc, but there is a > administrative cost in doing so if there is no infra to store such > passwords safely, so I would just propose to add that in the public > documentation, and say "the staging instance is protected from > automated scanner with "foo"/"password"". > > That's slightly less worst than having it directly exposed, but I am > not sure there is anything interesting in the first place. The posts > are public, there will be no web exposure (or any win in SEO or malware > distribution) after a compromise (due to password protection). > > Worst case in case of compromise is that someone would just get a few > emails, and I am not sure they can't be already harvested somewhere > else in FAS anyway. > Given the whole shebang is no longer on Fedora-run infrastructure, this sounds like an OK option to me. > > - how up to date do we want it to be regarding posts, etc ? > > > (I think we can't do a regular automated sync easily, so if that's > > > needed, I will have to find some way to automate that) > > > > > > > Doesn't need to be sync'd all the time. If the current content is > > needed we > > can always ask. > > > > > > > - do we want to have it plugged to the prod instance of FAS or the > > > staging one ? > > > (for now, that's the staging one) > > > > > > Staging seems right to me. > > Ok, we need to keep that in mind if we sync again, this will be > erased/forgotten. > > I will take care of that next week. > Is there any risk to FAS if someone gains access to the staging server? My bet is not (only exposes an ability to federate ID) but if so, that would be one less thing to worry about. We could use production in that case. -- Paul _______________________________________________ Fedora Magazine mailing list -- magazine@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to magazine-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/magazine@xxxxxxxxxxxxxxxxxxxxxxx
