| 1 |
And I would like to add that sometimes you don't have a choice - if |
| 2 |
someone who is paying you says to use zoom, there is no choice - but I |
| 3 |
would rather use gentoo than fire up the MS laptop.. |
| 4 |
|
| 5 |
What gentoo can do is mitigate the risk - which I need to look into to |
| 6 |
see whats done in the ebuild over a default install of their binary.. |
| 7 |
|
| 8 |
|
| 9 |
William K. |
| 10 |
|
| 11 |
|
| 12 |
On 2/4/20 8:53 am, Alec Warner wrote: |
| 13 |
> On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri |
| 14 |
> <lssndrbarbieri@×××××.com <mailto:lssndrbarbieri@×××××.com>> wrote: |
| 15 |
> |
| 16 |
> I have concerns about the inclusion of zoom in ::gentoo. For me |
| 17 |
> it's more like a malware. |
| 18 |
> From the hacker news feed you'll find out that: |
| 19 |
> |
| 20 |
> |
| 21 |
> [1] zero day vulnerability found |
| 22 |
> |
| 23 |
> [2] passwords are truncated to 32 bit |
| 24 |
> |
| 25 |
> [3] previously sent data to facebook |
| 26 |
> |
| 27 |
> [4] end to end traffic isn't encrypted |
| 28 |
> [5] signed binary run unsigned script |
| 29 |
> |
| 30 |
> |
| 31 |
> [1], [2], [5] all seem like bugs and I'd expect upstream to fix at |
| 32 |
> least [1] and [5]. Note that in Gentoo [3] isn't directly relevant |
| 33 |
> (this isn't iOS) and neither is [5] in most cases as people don't run |
| 34 |
> signed binaries or use any kind of binary whitelisting in Gentoo. |
| 35 |
> |
| 36 |
> [2] I think the article mentions the truncation is to 32 bytes (or '32 |
| 37 |
> chars', but I assume each char is 1 byte for entropy sake.); not 32 |
| 38 |
> bits. Most password fields have a length limit (you cannot accept |
| 39 |
> arbitrary long passwords. If 32 characters isn't enough length to |
| 40 |
> protect users then the passwords are going to be useless anyway; most |
| 41 |
> user passwords are significantly less than 32 characters. This is |
| 42 |
> significantly different than limited to '32 bits' (which is 4 |
| 43 |
> characters!) and would make brute forcing passwords an obvious breeze; |
| 44 |
> there is not sufficient entropy in 32 bits to protect users. |
| 45 |
> |
| 46 |
> [4] I agree the poor marketing is a problem. I think as Rich states |
| 47 |
> later in the thread it's possible we could provide more information |
| 48 |
> here. As he notes though, I'm not convinced this is reason not to |
| 49 |
> package the software in Gentoo from a policy perspective. |
| 50 |
> |
| 51 |
> In general I expect that as long as Zoom has a gentoo maintainer and |
| 52 |
> upstream actually resolves outstanding security issues; I'm not really |
| 53 |
> aware of any policy hurdles they need to overcome to stay packaged in |
| 54 |
> Gentoo. Currently it has three maintainers[6]. If it sucks, convince |
| 55 |
> them to stop maintaining it ;) |
| 56 |
> |
| 57 |
> -A |
| 58 |
> |
| 59 |
> 1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1 |
| 60 |
> 2 https://news.ycombinator.com/item?id=22749706 |
| 61 |
> 3 |
| 62 |
> https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook |
| 63 |
> 4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ |
| 64 |
> 5 https://news.ycombinator.com/item?id=22746764 |
| 65 |
> |
| 66 |
> |
| 67 |
> [6] https://packages.gentoo.org/packages/net-im/zoom |
Archives