Problems with FTP transport in Bazaar-NG 0.8

Jan Hudec bulb at ucw.cz
Tue May 16 07:21:03 BST 2006


On Mon, May 15, 2006 at 12:49:52 -0400, Aaron Bentley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Michal Krenek wrote:
> > There is also another bug in FTP transport which I have reported two months ago:
> > https://launchpad.net/products/bzr/+bug/34685
> > 
> > It is security hazard, it was confirmed, I have also done some small patch which
> > fixes it, but nothing happends and it is not fixed in 0.8 nor in bzr-dev.
> 
> FTP itself is a security hazard, because the username and password are
> transmitted as plaintext.  Yes, we can add a password prompt, but doing
> that doesn't add much security, because if you're concerned about people
> hacking into your machine, you should also be concerned about your
> network traffic.
> 
> FTP is not well supported because
> 1. None of the core developers use it
> 2. It is not unit-tested.
> 
> If someone can find a small FTP server that we can bundle, for use in
> the test suite, that would allow FTP to be tested, and it would be less
> likely to break.

I fear 'small FTP server' is a contradiction. FTP is unfortunately
rather complicated protocol.

Hm, the only ftp server in python I can find is the medusa thing. But
looking at contents of the debian package with only 27 python sources,
out of which about half seem to handlers for different protocols, it
might be small enough to include it. The latest release is at
http://www.amk.ca/python/code/medusa.html if you want to take a look at
it.

-- 
						 Jan 'Bulb' Hudec <bulb at ucw.cz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060516/ed1d3d96/attachment.pgp 


More information about the bazaar mailing list