1 |
On Sun, Nov 07, 2004 at 02:14:28PM +0100 or thereabouts, Peter Simons wrote: |
2 |
> I would kindly request a statement from the Gentoo developers about this. |
3 |
|
4 |
I'm a developer, but you should consider the following to be my opinion |
5 |
only and not any sort of official statement. |
6 |
|
7 |
> Specifically: |
8 |
> |
9 |
> (1) Do you agree that this is a problem? |
10 |
|
11 |
As another poster already noted, of course it is, but it's not specific to |
12 |
Gentoo. What happens if the server hosting the master repository of glibc |
13 |
gets compromised? How do you know that hasn't already happened and there's |
14 |
back doors galore on your machine right now? That may seem like a |
15 |
smart-ass question, but stop for a moment and consider it seriously. How |
16 |
do you *KNOW* that there are no backdoors in the version of glibc on your |
17 |
computer right now? |
18 |
|
19 |
> (2) Are there plans for getting it fixed? |
20 |
|
21 |
We already implemented a major change nearly a year ago by moving |
22 |
'rsync.gentoo.org' onto servers that are managed by the Gentoo team. |
23 |
Previously, we relied on community mirrors which worked well, but didn't |
24 |
allow us to ensure the servers were all held to the same high security |
25 |
standard. |
26 |
|
27 |
We've also taken a number of other steps to mitigate this type of exposure |
28 |
including getting GPG signing into portage and the creation of an auditing |
29 |
project which reviews the ebuilds and code used in our distribution. |
30 |
|
31 |
> (3) Is there any estimate how long this will take? |
32 |
|
33 |
n/a |
34 |
|
35 |
> I have read some of the material Alexander hyper-linked to |
36 |
> and, frankly, most of it is outright frightening. |
37 |
|
38 |
Then you should immediately unplug your computer from the internet. The |
39 |
minute you jack in, you're accepting some level of risk. That's just the |
40 |
nature of the beast. |
41 |
|
42 |
--kurt |