[Pharo-project] [squeak-dev] Security Vunerability in SqueakSource

Marcus Denker marcus.denker at inria.fr
Mon Mar 21 11:40:54 UTC 2011

On Mar 21, 2011, at 12:23 PM, Sven Van Caekenberghe wrote:

> On 21 Mar 2011, at 11:20, Bert Freudenberg wrote:
>> SqueakSource is simply a WebDAV server. All the versioning logic is local, implemented in Monticello, so allowing overwrites is not really SqueakSource's "fault". Besides, even if SqueakSource disallowed overwriting a version (which it probably should) nothing would prevent somebody else to upload a *new* version that did something bad.
> Yes versioning/naming is local and distributed, that is a feature. One cannot rely on the name alone.
> However, it is most certainly a bug that a server happily overwrites existing versions, a version control system should never do that.
> Your other points a valid, of course.
I think that "security" was not meant in the sense of accidentally loading wrong code. More in the sense that one could just
delete all your code. Even though we have backups of the SqueakSource filesystem, you don't want that, as it would be a
mess to repair.


Marcus Denker  -- http://www.marcusdenker.de
INRIA Lille -- Nord Europe. Team RMoD.

More information about the Squeak-dev mailing list