On Fri, Sep 6, 2019 at 7:58 AM Michael Scherer <mscherer(a)redhat.com> wrote:
Le jeudi 05 septembre 2019 à 08:09 -0400, Paul Frields a écrit :
> Off the top of my head...
> On Thu, Sep 5, 2019 at 7:43 AM Michael Scherer <mscherer(a)redhat.com>
> > If so, where should it be stored, the goal being just to avoid
> > automated scanning (so I was think some easy passwords in the doc,
> > since the goal is just to prevent potential automated attacks) ?
> Not sure what you mean here -- you mean put the passwords in a doc
Yup, I know that best practice is to encrypt etc, but there is a
administrative cost in doing so if there is no infra to store such
passwords safely, so I would just propose to add that in the public
documentation, and say "the staging instance is protected from
automated scanner with "foo"/"password"".
That's slightly less worst than having it directly exposed, but I am
not sure there is anything interesting in the first place. The posts
are public, there will be no web exposure (or any win in SEO or malware
distribution) after a compromise (due to password protection).
Worst case in case of compromise is that someone would just get a few
emails, and I am not sure they can't be already harvested somewhere
else in FAS anyway.
Given the whole shebang is no longer on Fedora-run infrastructure, this
sounds like an OK option to me.
> - how up to date do we want it to be regarding posts, etc ?
> > (I think we can't do a regular automated sync easily, so if that's
> > needed, I will have to find some way to automate that)
> Doesn't need to be sync'd all the time. If the current content is
> needed we
> can always ask.
> > - do we want to have it plugged to the prod instance of FAS or the
> > staging one ?
> > (for now, that's the staging one)
> Staging seems right to me.
Ok, we need to keep that in mind if we sync again, this will be
I will take care of that next week.
Is there any risk to FAS if someone gains access to the staging server? My
bet is not (only exposes an ability to federate ID) but if so, that would
be one less thing to worry about. We could use production in that case.