[Haskell-cafe] Fwd: Unlock instructions

Joachim Durchholz jo at durchholz.org
Sun Aug 22 13:35:05 UTC 2021 

Am 22.08.21 um 14:55 schrieb Christopher Conforti:
> On Wed, 18 Aug 2021 12:54:48 -0400
> Brandon Allbery <allbery.b at gmail.com> wrote:
> 
>> https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html
> 
> It's almost as if big, single points of failure are not as resilient as
> a distributed web (or "bazaar") of independently-hosted sources. :-P
> 
> https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows
> 
> ... It's just I see this sort of thing a lot and it can
> sometimes be incredibly destructive to projects; the solution--hosting
> one's own git server--is simple, effective, and inexpensive.

The error message reports that there was an excessive amount of wrong 
logins, not a successful hack. Anybody who knows your public username 
can stage such an attack against your account - either the account gets 
locked, or the account gets hammered with password bruteforce attempts 
until the attacker is successful.

This is independently of whether the account is self-hosted or on a big 
service.

> The only reason I can imagine that the practice isn't more widespread
> is that people are concerned about security. A good host will make that
> easier, and after the application of a few simple rules a much more
> secure system is possible with not that much effort at all.

Doing your own security means you have to constantly monitor the threat 
landscape. Which is pretty much a fulltime job.
You can skimp on it if you're hosting just your own data - a single 
person's data is usually not worth attacking.
gitlab.haskell.org is a language community. It is much more valuable to 
an attacker, so "not that much effort at all" won't worth.

(Full disclosure: I am the "security person" for our team. I do not to 
the threat landscape monitoring, that's - thankfully - done by a full 
security team, I'm more the guy who just keeps up-to-date on what the 
security team is doing and passing on what's relevant to the team. Even 
that minimum task is taking more time off my normal work than I'd like.)

Regards,
Jo

More information about the Haskell-Cafe mailing list