seb at jamkit
Oct 1, 2001, 4:20 AM
Post #1 of 1
(776 views)
Permalink
|
It occured to me that there's a weak point in the security for CVS
commiters: we deposit our keys TTW over SSL, using our normal zope.org
password, which also gets used elsewhere, unencrypted. What's more,
my zope.org password has about 1 bit of entropy, and several of my
colleagues know it; my ssl passphrase, on the other hand, is very
secure. (I think ;-)
Perhaps you should only be able to deposit a key once TTW, and
subsequently must do so using ssh?
seb
|
