1 |
On Thu, Nov 11, 2004 at 07:23:49PM +0100 or thereabouts, Peter Simons wrote: |
2 |
> And what pisses me off is not that _I_ have been treated |
3 |
> somewhat unfriendly here on this list, it is that "some" |
4 |
> guys are recklessly ignoring a security vulnerability that |
5 |
> threatens your users -- no matter how minor the risk may be. |
6 |
|
7 |
Nobody is recklessly ignoring anything. I suggested an option which will |
8 |
give those users that care the ability to verify the contents of every |
9 |
single file under /usr/portage. Namely, signing the daily snapshots of the |
10 |
tree. You indicated that you didn't think this was sufficient and that |
11 |
instead, you wanted hashes generated of every file in the tree because |
12 |
otherwise, "regular" users would be unprotected. |
13 |
|
14 |
What was unclear about your request is how the functionality was going to |
15 |
be integrated into 'emerge sync'. Are you expecting the portage devs to |
16 |
drop everything and integrate that functionality immediately? |
17 |
|
18 |
What is also unclear is why the first option is insufficient. You stated a |
19 |
requirement to be able to verify the integrity and authenticity of every |
20 |
file under /usr/portage/ to ensure that no MIM attacks were taking place. |
21 |
The suggestion of signing snapshots meets that requirement in every way and |
22 |
does it in a way that introduces very little risk to our system. |
23 |
|
24 |
> If that is not on-topic here, and I wonder what is. |
25 |
|
26 |
I've never said your posts were off-topic. I said you were attacking |
27 |
people -- not just Gentoo developers, but other users. Please do not |
28 |
attack the members of this list. |
29 |
|
30 |
--kurt |