1 |
On Fri, Jun 09, 2006 at 05:22:18PM -0400, Chris Gianelloni wrote: |
2 |
> On Fri, 2006-06-09 at 22:51 +0200, Patrick Lauer wrote: |
3 |
> > On Fri, 2006-06-09 at 16:14 -0400, Chris Gianelloni wrote: |
4 |
> > [snip] |
5 |
> > > > If someone wanted to exploit boxen he'd use a much simpler attack |
6 |
> > > > vector ... our rsync mirrors are wide open. No need to secure the little |
7 |
> > > > window over there when the front door is open ... |
8 |
> > > |
9 |
> > > Really? I'd like you to give me root on rsync.gentoo.org, then. What's |
10 |
> > > that? You can't? What a wonder! |
11 |
> > |
12 |
> > I don't need that ... |
13 |
> > Look, three-step plan to hacking Gentoo boxen: |
14 |
> > |
15 |
> > 1) open a few rsync mirrors and get them into the official rotation |
16 |
> |
17 |
> Umm... the rsync servers in rsync.gentoo.org are all controlled by infra |
18 |
> now. If you're using another rsync server (read, untrusted) then you |
19 |
> get what you deserve. ;] |
20 |
> |
21 |
|
22 |
Right. |
23 |
|
24 |
Besides all distro suffer this same problem, indeed shouting that our mirror |
25 |
system is a wide open door is far from being fair. This new project though |
26 |
could be a nice attack vector, in the FAQ you state that you don't allow |
27 |
eclasses, that's nice...but I can think thousand of other ways for |
28 |
compromises without them using ebuilds. |
29 |
|
30 |
Not pointing fingers here, just stating that if this is an "official" project |
31 |
(whatever that means)...or even if it's not, much caution is advised |
32 |
security-wise in who you trust and what you are going to put in the tree (and |
33 |
most important what the perception of your authority/reliability will be |
34 |
user-wise). |
35 |
|
36 |
Cheers |
37 |
|
38 |
-- |
39 |
Andrea Barisani <lcars@g.o> .*. |
40 |
Gentoo Linux Infrastructure Developer V |
41 |
( ) |
42 |
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( ) |
43 |
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^ |
44 |
"Pluralitas non est ponenda sine necessitate" |
45 |
-- |
46 |
gentoo-dev@g.o mailing list |