List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Monday 08 November 2004 07:47 am, Peter Simons wrote:
> Since most of you seem to be believe that the bug is really
> not that serious, I am certain this will worry you not in
> the least.
I assume that you intend to 'blow the whistle' because you are incapable or
unwilling to submit a patch for the issue yourself?
I agree that there is a lot of room for improvement in the portage security
system. Signed ebuilds are a good start, but without ways to verify those
signatures from a second source (presumably a different portage mirror),
signed ebuilds don't buy much security.
I wouldn't waste your time hypothesizing about a man in the middle attack.
While MOTM attacks are theoretically possible on many many protocols, they
are *not* a serious threat, because of the scale on which they must be
undertaken, and the general care taken to keep core routers secure. Small
scale MOTM attacks (like from a disgruntled employee) are certainly more
feasible, and more common, but still require a fair degree of sophisication.
Such an attacker for a small-scale MOTM attack probably has the
sophistication to undertake a different, easier exploit.
Others have already pointed out that Gentoo is a community based distribution.
We help each other. Picking fights with volunteers has probably taken about
as much time as it would have taken you to look at the python code and at
least propose a code *design* for a patch, even if you can't code it
firstname.lastname@example.org mailing list