<div dir="ltr">Markus, this is on topic (on the edge). There is no password provided via SSL to this server. It just serve open source RPMs online. The real Heartbleed risk was for one of our own SSL certificate that should not have been there.<br><br>The password-protected parts of ELGIS are, by design and with sustainability in mind, all hosted by OSGeo (whose public infrastructure is well maintained, as you know).<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 19, 2014 at 4:22 PM, Markus Neteler <span dir="ltr"><<a href="mailto:neteler@osgeo.org" target="_blank">neteler@osgeo.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mathieu,<br>
<br>
<offtopic><br>
<span class="">On Wed, Nov 19, 2014 at 4:12 PM, Mathieu Baudier wrote:<br>
..<br>
> @Markus I very much appreciated your private mail a few days ago regarding<br>
> SSL (much less that you discuss on a public mailing-list the security of an<br>
> infrastructure that we graciously provide for years to the OSGeo<br>
> Foundation).<br>
<br>
</span>Well, I notified you in an earlier private email on May 22, 2014 (not<br>
some days ago as you say) then again on 8th of November.<br>
No answers from your side.<br>
At some point I had to warn users that they would potentially get<br>
their passwords leaked.<br>
<br>
Thanks that you fixed it now.<br>
</offtopic><br>
<br>
Regards,<br>
Markus<br>
<br>
PS: I would note that I am working hard on continuously fixing<br>
security issues along the OSGeo SAC team, often with a reaction time<br>
of less than 24h after taking notice of issues. And I privately notify<br>
people I know running other servers out there when I realize that they<br>
missed the warnings.<br>
</blockquote></div><br></div>