1 |
And I would like to add that sometimes you don't have a choice - if |
2 |
someone who is paying you says to use zoom, there is no choice - but I |
3 |
would rather use gentoo than fire up the MS laptop.. |
4 |
|
5 |
What gentoo can do is mitigate the risk - which I need to look into to |
6 |
see whats done in the ebuild over a default install of their binary.. |
7 |
|
8 |
|
9 |
William K. |
10 |
|
11 |
|
12 |
On 2/4/20 8:53 am, Alec Warner wrote: |
13 |
> On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri |
14 |
> <lssndrbarbieri@×××××.com <mailto:lssndrbarbieri@×××××.com>> wrote: |
15 |
> |
16 |
> I have concerns about the inclusion of zoom in ::gentoo. For me |
17 |
> it's more like a malware. |
18 |
> From the hacker news feed you'll find out that: |
19 |
> |
20 |
> |
21 |
> [1] zero day vulnerability found |
22 |
> |
23 |
> [2] passwords are truncated to 32 bit |
24 |
> |
25 |
> [3] previously sent data to facebook |
26 |
> |
27 |
> [4] end to end traffic isn't encrypted |
28 |
> [5] signed binary run unsigned script |
29 |
> |
30 |
> |
31 |
> [1], [2], [5] all seem like bugs and I'd expect upstream to fix at |
32 |
> least [1] and [5]. Note that in Gentoo [3] isn't directly relevant |
33 |
> (this isn't iOS) and neither is [5] in most cases as people don't run |
34 |
> signed binaries or use any kind of binary whitelisting in Gentoo. |
35 |
> |
36 |
> [2] I think the article mentions the truncation is to 32 bytes (or '32 |
37 |
> chars', but I assume each char is 1 byte for entropy sake.); not 32 |
38 |
> bits. Most password fields have a length limit (you cannot accept |
39 |
> arbitrary long passwords. If 32 characters isn't enough length to |
40 |
> protect users then the passwords are going to be useless anyway; most |
41 |
> user passwords are significantly less than 32 characters. This is |
42 |
> significantly different than limited to '32 bits' (which is 4 |
43 |
> characters!) and would make brute forcing passwords an obvious breeze; |
44 |
> there is not sufficient entropy in 32 bits to protect users. |
45 |
> |
46 |
> [4] I agree the poor marketing is a problem. I think as Rich states |
47 |
> later in the thread it's possible we could provide more information |
48 |
> here. As he notes though, I'm not convinced this is reason not to |
49 |
> package the software in Gentoo from a policy perspective. |
50 |
> |
51 |
> In general I expect that as long as Zoom has a gentoo maintainer and |
52 |
> upstream actually resolves outstanding security issues; I'm not really |
53 |
> aware of any policy hurdles they need to overcome to stay packaged in |
54 |
> Gentoo. Currently it has three maintainers[6]. If it sucks, convince |
55 |
> them to stop maintaining it ;) |
56 |
> |
57 |
> -A |
58 |
> |
59 |
> 1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1 |
60 |
> 2 https://news.ycombinator.com/item?id=22749706 |
61 |
> 3 |
62 |
> https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook |
63 |
> 4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ |
64 |
> 5 https://news.ycombinator.com/item?id=22746764 |
65 |
> |
66 |
> |
67 |
> [6] https://packages.gentoo.org/packages/net-im/zoom |