On Sun, Nov 07, 2004 at 02:14:28PM +0100 or thereabouts, Peter Simons wrote:
> I would kindly request a statement from the Gentoo developers about this. 

I'm a developer, but you should consider the following to be my opinion
only and not any sort of official statement.

> Specifically:
> 
>  (1) Do you agree that this is a problem?

As another poster already noted, of course it is, but it's not specific to
Gentoo.  What happens if the server hosting the master repository of glibc
gets compromised?  How do you know that hasn't already happened and there's
back doors galore on your machine right now?  That may seem like a
smart-ass question, but stop for a moment and consider it seriously.  How
do you *KNOW* that there are no backdoors in the version of glibc on your
computer right now?  

>  (2) Are there plans for getting it fixed?

We already implemented a major change nearly a year ago by moving
'rsync.gentoo.org' onto servers that are managed by the Gentoo team.
Previously, we relied on community mirrors which worked well, but didn't
allow us to ensure the servers were all held to the same high security
standard. 

We've also taken a number of other steps to mitigate this type of exposure
including getting GPG signing into portage and the creation of an auditing
project which reviews the ebuilds and code used in our distribution.

>  (3) Is there any estimate how long this will take?

n/a

> I have read some of the material Alexander hyper-linked to
> and, frankly, most of it is outright frightening.

Then you should immediately unplug your computer from the internet.  The
minute you jack in, you're accepting some level of risk.  That's just the
nature of the beast.

--kurt