List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
I have to say that I am shocked by Alexander's posting. Once
more I am forced to recognize that there is a difference
between knowing that an exploit is "theoretically possible"
and _seeing_ the actual exploit implemented in under 50
lines of code.
Having said that, I am even more shocked by the fact that
this problem has been long known! As a user who doesn't like
the idea of giving up control of his machines to random
people on the Internet, I would kindly request a statement
from the Gentoo developers about this. Specifically:
(1) Do you agree that this is a problem?
(2) Are there plans for getting it fixed?
(3) Is there any estimate how long this will take?
I have read some of the material Alexander hyper-linked to
and, frankly, most of it is outright frightening.
> PPPS: I really appreciate all the very good work on
> hardened gcc, selinux-profiles and so on, but for me,
> this all seems useless as long as the base is compromised
> that easy and the user has no practical way (e.g. hashs)
> to check what he gets on his machine with a 'sync'.
I wholeheartedly agree.
email@example.com mailing list