| 1 |
On Sun, Nov 07, 2004 at 02:14:28PM +0100 or thereabouts, Peter Simons wrote: |
| 2 |
> I would kindly request a statement from the Gentoo developers about this. |
| 3 |
|
| 4 |
I'm a developer, but you should consider the following to be my opinion |
| 5 |
only and not any sort of official statement. |
| 6 |
|
| 7 |
> Specifically: |
| 8 |
> |
| 9 |
> (1) Do you agree that this is a problem? |
| 10 |
|
| 11 |
As another poster already noted, of course it is, but it's not specific to |
| 12 |
Gentoo. What happens if the server hosting the master repository of glibc |
| 13 |
gets compromised? How do you know that hasn't already happened and there's |
| 14 |
back doors galore on your machine right now? That may seem like a |
| 15 |
smart-ass question, but stop for a moment and consider it seriously. How |
| 16 |
do you *KNOW* that there are no backdoors in the version of glibc on your |
| 17 |
computer right now? |
| 18 |
|
| 19 |
> (2) Are there plans for getting it fixed? |
| 20 |
|
| 21 |
We already implemented a major change nearly a year ago by moving |
| 22 |
'rsync.gentoo.org' onto servers that are managed by the Gentoo team. |
| 23 |
Previously, we relied on community mirrors which worked well, but didn't |
| 24 |
allow us to ensure the servers were all held to the same high security |
| 25 |
standard. |
| 26 |
|
| 27 |
We've also taken a number of other steps to mitigate this type of exposure |
| 28 |
including getting GPG signing into portage and the creation of an auditing |
| 29 |
project which reviews the ebuilds and code used in our distribution. |
| 30 |
|
| 31 |
> (3) Is there any estimate how long this will take? |
| 32 |
|
| 33 |
n/a |
| 34 |
|
| 35 |
> I have read some of the material Alexander hyper-linked to |
| 36 |
> and, frankly, most of it is outright frightening. |
| 37 |
|
| 38 |
Then you should immediately unplug your computer from the internet. The |
| 39 |
minute you jack in, you're accepting some level of risk. That's just the |
| 40 |
nature of the beast. |
| 41 |
|
| 42 |
--kurt |
Archives