Problems with FTP transport in Bazaar-NG 0.8
Aaron Bentley
aaron.bentley at utoronto.ca
Mon May 15 17:49:52 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michal Krenek wrote:
> There is also another bug in FTP transport which I have reported two months ago:
> https://launchpad.net/products/bzr/+bug/34685
>
> It is security hazard, it was confirmed, I have also done some small patch which
> fixes it, but nothing happends and it is not fixed in 0.8 nor in bzr-dev.
FTP itself is a security hazard, because the username and password are
transmitted as plaintext. Yes, we can add a password prompt, but doing
that doesn't add much security, because if you're concerned about people
hacking into your machine, you should also be concerned about your
network traffic.
FTP is not well supported because
1. None of the core developers use it
2. It is not unit-tested.
If someone can find a small FTP server that we can bundle, for use in
the test suite, that would allow FTP to be tested, and it would be less
likely to break.
Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEaLEw0F+nu1YWqI0RAolWAJ9/Mopxf1ECoS+eISeCcYfxBIYjYwCcDG14
duXbtKrkZuDd7jiZmXvQ148=
=DO4t
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list