Hi, >> - I personally consider this security measure neither appropriate nor useful. > > You may call me paranoid, but I have a permanent internet connection with > static IPs at home for about 10 years now (I started with an analog leased > line using two USR Dual Standard modems, the whole thing cost me about 800DM > per month at that time). I'm also administrating other networks with static > IPs and permanent internet connections. And I didn't have a single serious > security incident in all the years. I don't know, how well the svnserve code > is written, but in case there's an incident, I want at least be able to get > behind the originator. Again thanks for your open statement. I totally understand - and agree with - your motivation. >> - Do you accept DNS records from all TLDs? > > The incoming host must have a valid reverse and matching forward lookup. The > domain used doesn't matter. I think that's not too much to ask for. Maybe time for some explanation on my side... - Not useful: As Mike already pointed out I see your policy easily yield lots both false positives and false negatives (aka type I and type II errors). - Not appropriate: FCrDNS is about hosts, not about individuals. It's intended for machine to machine communication. But here we talk about individuals accessing a source code repository. Applying FCrDNS here is similiar to a bank that does credit worthiness checks by evaluating if the credit applicant is living in a "good neighbourhood". Although questionable from an ethical point of view the bank just has statistical data that shows a correlation between neighourhood and payments morality. I however doubt that you have such data on the correlation between using an FCrDNS-less ISP and hacking your site. I might serve as a good example: I'm contributing to cc65 for quite some years by now. I envision this stealing time from my familiy. Therefore I'm strictly staying clear from additionally stealing money from my familiy. So I'll certainly stay with my el cheapo ISP. Not getting access to your repository for that reason seems discriminating to me. The internet of today is an internet of a mobile individual: Home, office, public hotspots, ... So from my perspective the (only) way to go for secure accessing a source code repository is on individuals with a PKI. Give certificates to people you either trust for some reason or you can identify in some way. If a certificate is obused revoke it for good. Best, Oliver ---------------------------------------------------------------------- To unsubscribe from the list send mail to majordomo@musoftware.de with the string "unsubscribe cc65" in the body(!) of the mail.Received on Tue Aug 5 20:01:21 2008
This archive was generated by hypermail 2.1.8 : 2008-08-05 20:01:23 CEST