Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Andrea Barisani <lcars@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Project Sunrise thread -- a try of clarification
Date: Fri, 09 Jun 2006 22:04:34
Message-Id: 20060609214555.GD25418@fuse.inversepath.com
In Reply to: Re: [gentoo-dev] Project Sunrise thread -- a try of clarification by Chris Gianelloni
1 On Fri, Jun 09, 2006 at 05:22:18PM -0400, Chris Gianelloni wrote:
2 > On Fri, 2006-06-09 at 22:51 +0200, Patrick Lauer wrote:
3 > > On Fri, 2006-06-09 at 16:14 -0400, Chris Gianelloni wrote:
4 > > [snip]
5 > > > > If someone wanted to exploit boxen he'd use a much simpler attack
6 > > > > vector ... our rsync mirrors are wide open. No need to secure the little
7 > > > > window over there when the front door is open ...
8 > > >
9 > > > Really? I'd like you to give me root on rsync.gentoo.org, then. What's
10 > > > that? You can't? What a wonder!
11 > >
12 > > I don't need that ...
13 > > Look, three-step plan to hacking Gentoo boxen:
14 > >
15 > > 1) open a few rsync mirrors and get them into the official rotation
16 >
17 > Umm... the rsync servers in rsync.gentoo.org are all controlled by infra
18 > now. If you're using another rsync server (read, untrusted) then you
19 > get what you deserve. ;]
20 >
21
22 Right.
23
24 Besides all distro suffer this same problem, indeed shouting that our mirror
25 system is a wide open door is far from being fair. This new project though
26 could be a nice attack vector, in the FAQ you state that you don't allow
27 eclasses, that's nice...but I can think thousand of other ways for
28 compromises without them using ebuilds.
29
30 Not pointing fingers here, just stating that if this is an "official" project
31 (whatever that means)...or even if it's not, much caution is advised
32 security-wise in who you trust and what you are going to put in the tree (and
33 most important what the perception of your authority/reliability will be
34 user-wise).
35
36 Cheers
37
38 --
39 Andrea Barisani <lcars@g.o> .*.
40 Gentoo Linux Infrastructure Developer V
41 ( )
42 PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
43 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
44 "Pluralitas non est ponenda sine necessitate"
45 --
46 gentoo-dev@g.o mailing list
Report Message
Find on MARC Find on Google Groups