Re: is gitosis secure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 15 Dec 2008, Nix wrote:

On 14 Dec 2008, Jakub Narebski spake thusly:
BTW. is outgoing SSH transport (from network to outside) blocked as
well?

*No* ports are open. All they have is a (non-transparent) buggy HTTP
proxy. These guys really don't get the Internet, despite their sales
literature banging on endlessly about it.

Looks like a lot of git-bundling is in my future.

no ports being open and a non-transparent HTTP proxy doesn't tell me that they don't get the Internet. They could get the Internet just fine and be suitably paranoid about it. Controlling outbound traffic is actually a good thing in the current era of botnets (it prevents any of the machines in that company from participating in a botnet if they can't reach the command system)

the fact that the proxy is buggy could be an issue (I'm curious about what types of bugs you are running into, what you see as a bug may not be)



if there is a business reason for the developers on that network to be accessing resources on the Internet there should be a way to request that the appropriate ports get opened. if the answer from the security folks is 'no' you should ask them why not and what could be done to get the job done.

it may be that they don't want to provide access out from a bunch of desktops. If that is the case it may be appropriate to build a box to put into the DMZ that pulls from the upstream and then the inside desktops pull from this gateway system.


the saying goes "don't attribute to malice what can be explained by incompetence", but along the same lines in the security field, don't attribute to incompetence what can be explained by people doing their jobs that are ignorant of the requirements. they may also be operating under constraints that you don't know about.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux