Securing our transifex instance

Dimitris Glezos dimitris at
Wed Aug 29 03:03:08 UTC 2007

Hi all.

It's time to add some non-localhost repos to our transifex instance, so
some advices on the security front would be greatly appreciated.

We're doing everything over SSH, with encrypted keys. Before starting
the TG app, tha admin needs to run ssh-agent and ssh-add. The goal would
be to have a different service actually handling the keys and the
commits, but that would have to wait for someone to submit the patchset.

With each repository (host) having its own key pair, `~/.ssh/config`
right now looks like this:

        Host localhost
         User transifex-testuser
         IdentityFile ~/.ssh/id_dsa
        # User transifex
        # IdentityFile ~/.ssh/id_dsa-cvsfpo
         User yumex-trans
         IdentityFile ~/.ssh/id_dsa-yumex
        Host *
         ForwardX11 no
         ForwardAgent no
         RhostsAuthentication no
         RhostsRSAAuthentication no
         PasswordAuthentication no
         StrictHostKeyChecking yes
         BatchMode yes
         CheckHostIP yes

On the web front, I tried my best to validate properly any input/output
from/to the user. Since transifex accepts user input, writes files on
our server, runs OS commands on the server, uses SSH keys to communicate
with other machines and writes to disks across the Internet, we better
make sure everything is OK before launching.

It would be great if some of you python hackers take a look at the code,
or anyone with the hobby of defacing websites run any injection/XSS-foo
on our instance, in order to identify and any additional checks or
reveal any mistakes I made (which I'm sure I did since it's my first big
python and TG app).

Our test instance dwells at

Short instructions to get the code and install a local instance to play
around freely and with less lag can be found at:

Bugs, reports, suggestions:



Dimitris Glezos
Jabber ID: glezos at, GPG: 0xA5A04C3B

"He who gives up functionality for ease of use
loses both and deserves neither." (Anonymous)

More information about the infrastructure mailing list