| 1 |
On Thu, Mar 25, 2004 at 07:11:47PM +0000, Chris Bainbridge wrote: |
| 2 |
> |
| 3 |
> All of these things might individually be less likely than a direct attack, |
| 4 |
> but together the possibility that one small security breach, for a single |
| 5 |
> developer, might occur is more than comparable to the possibility that the |
| 6 |
> rsync code, which has been extensively audited, might contain an external |
| 7 |
> exploit. |
| 8 |
> |
| 9 |
|
| 10 |
The difference is that we (the developers) control our machines. rsync |
| 11 |
mirrors are provided by third parties; we have no control whatsoever |
| 12 |
over those systems. |
| 13 |
|
| 14 |
There will always be the threat of compromise at some level. There are |
| 15 |
thousands of potential scenarios. Right now we're trying to fix one of |
| 16 |
them: rsync server compromise. |
| 17 |
|
| 18 |
rac relayed an interesting quote to me -- "Don't let perfect get in the |
| 19 |
way of better" |
| 20 |
|
| 21 |
-- |
| 22 |
Jon Portnoy |
| 23 |
avenj/irc.freenode.net |
| 24 |
|
| 25 |
-- |
| 26 |
gentoo-dev@g.o mailing list |
Archives