Till Maas wrote: > No, this summary lacks the important fact that the password is not transfered > via a secured connection. The problem that the application itself may have > security vulnerabilities is only one reason, why it is not a good idea to test > it with the real FAS passwords. Another reason I can think of, is that these > passwords may be disclosed to the people that debug the tested application or > that they are logged somewhere, because usually the logging on testing setups > is more verbose than on stable ones. Even on the stable fedora wiki setup FAS > passwords were logged by accident. > After discussion with mmcgrath, lmacken, and spot we've decided that to mitigate this, we're going to get the Fedora Community application into the staging environment. The staging environment closely mirrors the production environment, has a valid SSL certificate, and authenticates against a test FAS instance that is populated with production data but can diverge (ie, you can change your password in the staging FAS so you do not have to use your real FAS password with the staging environment). However, there are a lot of packages that make up Fedora Community and several core pieces that we are not presently running in production. So it may be a while before we get the necessary packages through Fedora review, installed, configured in puppet, decided on secure configurations, and setup in the staging environment. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
