[Bf-committers] FTP access to download.b.o (was: Blender 2.80 Release Candidate - master frozen)

Fri Jul 19 18:12:24 CEST 2019

Hi,

On Fri, Jul 19, 2019 at 11:59 AM dr. Sybren A. Stüvel <sybren at stuvel.eu>
wrote:

> I agree with Dan. FTP is a old, insecure protocol, and we don't need
> anonymous uploads at all. Platform maintainers can use their SSH key to
> gain access to the file storage.
>

Agreed! Debian has also deprecated FTP. I was speaking with Brecht as well,
and given the go ahead to disable our FTP server indefinitely. While the
directory for "ftp" still exists, note that the actual ftp:// protocol
access to our download.blender.org server is considered disabled.

> I would recommend using a Yubikey for this, stored in a safe at the
> Blender Institute. Getting the right key is easy once it's poured into
> hardware.
>

Aye, in fact I was mentioning to Brecht that I use a Yubikey my SSH,
signing etc, for years now for access to the rack. They are very nice 2FA
devices, in addition to their signing abilities. While I can't speak for
Mac or Windows use, I know that Linux can use these very well. They would
also be good for 2FA for some of our other services, such as Wordpress, but
that is another topic.
On a side note, my apologies for not clarifying things more! The specific
situation was that, after not having a virus uploaded to our ftp/incoming/
folder in nearly a year (September 2019), one suddenly happened at nearly
the exact same time as our releases were starting to be populated. As a bit
of a panic'd reflex, I made the call to alert the blender.chat coders
channel, and after not getting responses from some core folks, I wrote the
email, as a precaution!

The specific situation details is that we used to allow FTP uploads to the
"incoming" area, which is how people generally put files into the server
for us. While we never allowed removing, appending, renaming, or
downloading of files via FTP, an attacker could very well have taken
advantage of this fact by colliding the filenames used for release. In this
particular case, the filename was info.zip, and was detected by the system
and moved out of the way, but you can imagine that this process is only so
effective. And while FTP never allowed downloads, people (such as eager
Blender users!) could always download the files via HTTP/HTTPS, if they
merely visited the well known url that we have historically used as a
community "drop box" of sorts. You can see my concerns!

Anyway, clearly I over reacted a bit, and ruffled some feathers! My
apologies! Glad to see the security issue finally getting kick started
though! I look forward to a Yubikey discussion! :)

Cheers,

Dan

>
> --
> Sybren A. Stüvel
>
> https://stuvelfoto.nl/
> https://stuvel.eu/
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> https://lists.blender.org/mailman/listinfo/bf-committers
>