wine users - Oct 2011 - Thoughts regarding the database compromise....

1] not using secure http for log-ins seems a bit 20th century.
2] to join this mailing list, I needed to send my new credentials over unsecured
http - see 1] above.
3] to change password  from the compromised reset password, I need to use
unsecured http - see 1] above.

My point here is that if you are saddened, upset or concerned about the
compromise, might the 3 above points also be on the list of things to address?

Pardon if this is already pointed out, I've no desire to spend an hour to
read archives when I'd still want devs to see that more than just one person
likes secure logins.

flame on!

_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit
http://www.TechEmail.com

First Last now why is securing it that important on the mailing list.

Email is not secure to start off with unless you use a signing certificate to
sign your messages.

Basically everything could be done to secure those passwords and it basically
does nothing to stop people posting as you onto the mailing list as a imposter. 
Posting emails with fake from addresses is really really simple.

Something being compromised on is a zero issue.

Source code archive yes that had to be secure.  Bugzilla and Appdb yes that has
to be secure.

Now someone breaches you on mailing list post report of breach in bugzilla works
very well.

There is a reason why wine never in the first place went for a single sign on
solution.

At some point in the future the world need to move up to signed emails or newer
more secure tech.

oiaohm wrote:
> There is a reason why wine never in the first place went for a single sign
on solution.
I was under the impression that the "reason" was simply because the
different parts of the site evolved separately. I also suspect that many,
possibly most, users used the same email address and password on all parts of
the site anyway, so the "security" of forcing people to create
separate accounts is illusory.

On 10/16/11 7:09 AM, dimesio wrote:
> oiaohm wrote:
>> There is a reason why wine never in the first place went for a single
sign on solution.
> I was under the impression that the "reason" was simply because
the different parts of the site evolved separately. I also suspect that many,
possibly most, users used the same email address and password on all parts of
the site anyway, so the "security" of forcing people to create
separate accounts is illusory.
>
The move to a single sign-on was discussed at length both on and 
off-line.  It was decided NOT to implement such a feature because if 
your Forum logon, for instance, was cracked, so was your Bugzilla and 
Applications Database.  Some of the older users found that 
unacceptable.  As a Information Security Specialist, I found that 
unacceptable as well.  We require, in my workplace, separate logins for 
each system a user accesses, specifically to address that case.

James

jjmckenzie wrote:
> if your Forum logon, for instance, was cracked, so was your Bugzilla and
Applications Database.
Do you seriously believe that the fact that people had to create separate
accounts for the various parts of WineHQ stopped anyone from using the same
login and password on all of them?