Someone has contacted me about a security issue with Majordomo 1.94.5
(the current release). Essentially, the algorithm used to generate
cookies for use in "auth" commands is weak and easily reversible.
The person has suggested alternate implementations which they believe
are more secure; I have no reason to doubt them, but I'm not a
cryptographer, and can't really evaluate whether their proposed
replacement is any better than the original code.
The problem is, I view Majordomo as essentially dead code. I'm not
really willing to sink much more of my own time and effort into
Majordomo. This is but one of several problems with it.
The only reason I still offer Majordomo for download from the
GreatCircle.com web site is that the Majordomo2 folks haven't yet
officially released their package; unfortunately, though, I'm not
sure if they ever will.
If somebody else wants to step forward and be the new "release
coordinator" (as John Rouillard and Chan Wilson were in the past),
then I'd be happy to distribute the new tarball that they put
together, but I'm not willing to step into that role myself.
So, are there any volunteers who can convince me that they're capable
of taking on the role?
-Brent
--
Brent Chapman <Brent@GreatCircle.COM>
Great Circle Associates, Inc.
http://www.greatcircle.com/
+1 650 962 0841
Follow-Ups:
|
|
