Sourceforge Attack: Full Report

I don't see how this is a 'full report'. For example:<p>&#62; There was a root privilege escalation on one of our platforms which permitted exposure of credentials that were then used to access machines with externally-facing SSH.<p>How are the credentials exposed after escalation? What accounts on the externally-facing SSH machines were used? Why was it a problem that the externally-facing SSH machines could be accessed? Was the access through root accounts? Why do externally-facing SSH machines allow remote root-login?<p>Besides, why can I still download projects when the data validation is still ongoing?<p>Furthermore, the 'full report' does not say anything what SF.net plans about their ssh servers.<p>I understand the SF.net team does its best, but I am not so happy with that report.

Sorry, but this is ridiculous:<p>"Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to [believe] the attacker was successful in collecting passwords."<p>You don't have reason to believe they weren't either. Why write this?

Interesting read, both regarding the attack vector, actual damage and their current plans to get everything back up and running.

The number of people whining about CVS support possibly being deprecated is amazing, get with the 21st century people.