Our main preoccupation concerning Security on the server is :
- Confidentiality of the projects' data
- Availability of the projects' data
- We work to prevent account highjacking:
- You should not need to type passwords on a cleartext connection to the server, therefore :
- Authentificated connection to CVS using pserver has been disabled
- Authentification is performed over HTTPS
- SSH access is not possible using passwords. In fact, SSH will not allow connection with an empty passwd nor will it accept connection using ssh protocol version 1 (identity.pub files).
- Shell access is possible only in a limited chrooted environment where each project's data is isolated by using Unix file access permissions.
- The server's data, database and configuration options are saved on a different machine every day.
- Intrusion detection is performed on the server.
Nervertheless, your data is still present on a server that is accessible from anywhere and using a variety of services. If your project's data should be kept confidential at all costs, it should probably not be available on a forge of anykind.