| 1 |
On Sun, 2004-11-07 at 12:19 +0900, Jason Stubbs wrote: |
| 2 |
> On Sunday 07 November 2004 05:56, Joshua Brindle wrote: |
| 3 |
> > perhaps some motivation for portage devs.... |
| 4 |
> > |
| 5 |
> > See bug #26110 |
| 6 |
> |
| 7 |
> The bug was originally about versioning eclasses, which has very little to do |
| 8 |
> with adding a trojan. |
| 9 |
As long as there are no eclass versions they can be modified without any |
| 10 |
checks detecting it. That was one of the things the original poster |
| 11 |
found to be very lacking since it even allows for "evil" eclasses. |
| 12 |
|
| 13 |
Also, having no versioning available makes the propagation of new |
| 14 |
(bugfix) eclasses a bit more difficult than neccessary. |
| 15 |
|
| 16 |
> There is already another bug open for digesting and |
| 17 |
> signing eclasses. |
| 18 |
Which still doesn't address the versioning problem which reminds many of |
| 19 |
the windows "dll hell" problem. |
| 20 |
|
| 21 |
> And no, people that have attitudes similar to that of this |
| 22 |
> ex-user provide no motivation at all. |
| 23 |
I think he is an ex-user because his critique and his ideas were always |
| 24 |
rejected without good explanation. That there might be a security |
| 25 |
problem at such a fundamental level has been known, iirc, for 2 years. |
| 26 |
Nothing visible has been done about it. I'd quit such a bunch of madmen |
| 27 |
too ;-) |
| 28 |
|
| 29 |
I hope that his sample trojan has at least warned you all that an "evil" |
| 30 |
person can bypass most of our security without too much trouble. Please |
| 31 |
don't just ignore it "because he yells at us". Just think what he'd do |
| 32 |
if he felt a need to show you a real-life exploit "because you don't |
| 33 |
listen". (Not that he'd do it, but someone else might, now that the idea |
| 34 |
has had such a high visibility) |
| 35 |
|
| 36 |
In the spirit of S.Ballmer: |
| 37 |
"Security! Security! Security! SECURITY! WAAAAH!" |
| 38 |
|
| 39 |
Patrick |
Archives