1 |
On Sun, 2004-11-07 at 12:19 +0900, Jason Stubbs wrote: |
2 |
> On Sunday 07 November 2004 05:56, Joshua Brindle wrote: |
3 |
> > perhaps some motivation for portage devs.... |
4 |
> > |
5 |
> > See bug #26110 |
6 |
> |
7 |
> The bug was originally about versioning eclasses, which has very little to do |
8 |
> with adding a trojan. |
9 |
As long as there are no eclass versions they can be modified without any |
10 |
checks detecting it. That was one of the things the original poster |
11 |
found to be very lacking since it even allows for "evil" eclasses. |
12 |
|
13 |
Also, having no versioning available makes the propagation of new |
14 |
(bugfix) eclasses a bit more difficult than neccessary. |
15 |
|
16 |
> There is already another bug open for digesting and |
17 |
> signing eclasses. |
18 |
Which still doesn't address the versioning problem which reminds many of |
19 |
the windows "dll hell" problem. |
20 |
|
21 |
> And no, people that have attitudes similar to that of this |
22 |
> ex-user provide no motivation at all. |
23 |
I think he is an ex-user because his critique and his ideas were always |
24 |
rejected without good explanation. That there might be a security |
25 |
problem at such a fundamental level has been known, iirc, for 2 years. |
26 |
Nothing visible has been done about it. I'd quit such a bunch of madmen |
27 |
too ;-) |
28 |
|
29 |
I hope that his sample trojan has at least warned you all that an "evil" |
30 |
person can bypass most of our security without too much trouble. Please |
31 |
don't just ignore it "because he yells at us". Just think what he'd do |
32 |
if he felt a need to show you a real-life exploit "because you don't |
33 |
listen". (Not that he'd do it, but someone else might, now that the idea |
34 |
has had such a high visibility) |
35 |
|
36 |
In the spirit of S.Ballmer: |
37 |
"Security! Security! Security! SECURITY! WAAAAH!" |
38 |
|
39 |
Patrick |