[ELGIS] Some clarifications on the ELGIS effort and the ELGIS repository hosted by Argeo

Mathieu Baudier mbaudier at argeo.org
Wed Nov 19 07:59:05 PST 2014


Markus, this is on topic (on the edge). There is no password provided via
SSL to this server. It just serve open source RPMs online. The real
Heartbleed risk was for one of our own SSL certificate that should not have
been there.

The password-protected parts of ELGIS are, by design and with
sustainability in mind, all hosted by OSGeo (whose public infrastructure is
well maintained, as you know).

On Wed, Nov 19, 2014 at 4:22 PM, Markus Neteler <neteler at osgeo.org> wrote:

> Hi Mathieu,
>
> <offtopic>
> On Wed, Nov 19, 2014 at 4:12 PM, Mathieu Baudier wrote:
> ..
> > @Markus I very much appreciated your private mail a few days ago
> regarding
> > SSL (much less that you discuss on a public mailing-list the security of
> an
> > infrastructure that we graciously provide for years to the OSGeo
> > Foundation).
>
> Well, I notified you in an earlier private email on May 22, 2014 (not
> some days ago as you say) then again on 8th of November.
> No answers from your side.
> At some point I had to warn users that they would potentially get
> their passwords leaked.
>
> Thanks that you fixed it now.
> </offtopic>
>
> Regards,
> Markus
>
> PS: I would note that I am working hard on continuously fixing
> security issues along the OSGeo SAC team, often with a reaction time
> of less than 24h after taking notice of issues. And I privately notify
> people I know running other servers out there when I realize that they
> missed the warnings.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/el/attachments/20141119/0b96d37f/attachment.html>


More information about the el mailing list