Re: [Haskell-cafe] Fwd: Unlock instructions

Am 22.08.21 um 14:55 schrieb Christopher Conforti:

On Wed, 18 Aug 2021 12:54:48 -0400 Brandon Allbery wrote:

...

https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html

It's almost as if big, single points of failure are not as resilient as a distributed web (or "bazaar") of independently-hosted sources. :-P

https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows

... It's just I see this sort of thing a lot and it can sometimes be incredibly destructive to projects; the solution--hosting one's own git server--is simple, effective, and inexpensive.

The error message reports that there was an excessive amount of wrong logins, not a successful hack. Anybody who knows your public username can stage such an attack against your account - either the account gets locked, or the account gets hammered with password bruteforce attempts until the attacker is successful. This is independently of whether the account is self-hosted or on a big service.

The only reason I can imagine that the practice isn't more widespread is that people are concerned about security. A good host will make that easier, and after the application of a few simple rules a much more secure system is possible with not that much effort at all.

Doing your own security means you have to constantly monitor the threat landscape. Which is pretty much a fulltime job. You can skimp on it if you're hosting just your own data - a single person's data is usually not worth attacking. gitlab.haskell.org is a language community. It is much more valuable to an attacker, so "not that much effort at all" won't worth. (Full disclosure: I am the "security person" for our team. I do not to the threat landscape monitoring, that's - thankfully - done by a full security team, I'm more the guy who just keeps up-to-date on what the security team is doing and passing on what's relevant to the team. Even that minimum task is taking more time off my normal work than I'd like.) Regards, Jo