Trac Security and Privacy Questions
14 views
Skip to first unread message
Lorrie Pacheco
Nov 16, 2020, 9:11:12 PM11/16/20
to Trac Users
Hello,
I am the IT Software Acquisitions Customer Liaison at the Colorado School of Mines. We have request from a student to install EXPGUI GSAS on our university computers. This requires approval from our Security, Infrastructure and Privacy stakeholders. Would anyone in this group be able to point me to information that would help with understanding the security vulnerabilities and measures of this software? Also, what personal data is collected by this software for login, etc.?
I appreciate any thoughts you can share.
Best,
Lorrie Pacheco-Butler
Colorado School of Mines
RjOllos
Nov 17, 2020, 2:10:31 PM11/17/20
to Trac Users
TracStandalone (using Trac's web server) can authenticate using basic or digest authentication, with the Apache utilities commonly used to create the password files:
However, typically a third-party web server is used to serve Trac, such as Apache. There are many options for authentication, but most commonly basic, digest, or LDAP authentication is used, so the security of authentication and password storage falls to Apache.
Trac allows users to enter their real name and email through the preferences page. The information is stored in a cookie. The cookie also stores last login time and some other basic site preferences.
The Trac permission model is used to provide authorization to resources, once authenticated.
I can tell you informally that we have fixed all security vulnerabilities that have been reported to us privately. You may wish to look to a security vulnerabilities site to see if they have recorded any that are not fixed yet, but I'm not aware of any, and if you find any, please report to ad...@edgewall.org . We aim to fix those quickly.
We suggest running the latest version, 1.4.2, to ensure you have all available security fixes.
Ryan
RjOllos
Nov 17, 2020, 2:19:13 PM11/17/20
to Trac Users
On Monday, November 16, 2020 at 6:11:12 PM UTC-8 lorriea...@gmail.com wrote:
Now that I re-read your question, it sounds like you want to contact "EXPGUI GSAS". They are running a Trac site, which may be the point of confusion.
This is the mailing list for the Trac issue tracker, but we have nothing to do with EXPGUI GSAS.
Lorrie Pacheco
Nov 17, 2020, 5:46:30 PM11/17/20
to trac-...@googlegroups.com
Thank R Jollis,
I realized this today & hadn’t had a chance to update this forum. I appreciate your time.
Best,
Lorrie Ann
--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/0c657c85-f07b-47c2-b0aa-3557e24145f4n%40googlegroups.com.
|
Reply all
Reply to author
Forward
0 new messages