1 |
On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri <lssndrbarbieri@×××××.com> |
2 |
wrote: |
3 |
|
4 |
> I have concerns about the inclusion of zoom in ::gentoo. For me it's more |
5 |
> like a malware. |
6 |
> From the hacker news feed you'll find out that: |
7 |
> |
8 |
|
9 |
> [1] zero day vulnerability found |
10 |
> |
11 |
[2] passwords are truncated to 32 bit |
12 |
> |
13 |
[3] previously sent data to facebook |
14 |
> |
15 |
[4] end to end traffic isn't encrypted |
16 |
> [5] signed binary run unsigned script |
17 |
> |
18 |
> |
19 |
[1], [2], [5] all seem like bugs and I'd expect upstream to fix at least |
20 |
[1] and [5]. Note that in Gentoo [3] isn't directly relevant (this isn't |
21 |
iOS) and neither is [5] in most cases as people don't run signed binaries |
22 |
or use any kind of binary whitelisting in Gentoo. |
23 |
|
24 |
[2] I think the article mentions the truncation is to 32 bytes (or '32 |
25 |
chars', but I assume each char is 1 byte for entropy sake.); not 32 bits. |
26 |
Most password fields have a length limit (you cannot accept arbitrary long |
27 |
passwords. If 32 characters isn't enough length to protect users then the |
28 |
passwords are going to be useless anyway; most user passwords are |
29 |
significantly less than 32 characters. This is significantly different than |
30 |
limited to '32 bits' (which is 4 characters!) and would make brute forcing |
31 |
passwords an obvious breeze; there is not sufficient entropy in 32 bits to |
32 |
protect users. |
33 |
|
34 |
[4] I agree the poor marketing is a problem. I think as Rich states later |
35 |
in the thread it's possible we could provide more information here. As he |
36 |
notes though, I'm not convinced this is reason not to package the software |
37 |
in Gentoo from a policy perspective. |
38 |
|
39 |
In general I expect that as long as Zoom has a gentoo maintainer and |
40 |
upstream actually resolves outstanding security issues; I'm not really |
41 |
aware of any policy hurdles they need to overcome to stay packaged in |
42 |
Gentoo. Currently it has three maintainers[6]. If it sucks, convince them |
43 |
to stop maintaining it ;) |
44 |
|
45 |
-A |
46 |
|
47 |
|
48 |
|
49 |
> 1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1 |
50 |
> 2 https://news.ycombinator.com/item?id=22749706 |
51 |
> 3 |
52 |
> https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook |
53 |
> 4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ |
54 |
> 5 https://news.ycombinator.com/item?id=22746764 |
55 |
> |
56 |
|
57 |
[6] https://packages.gentoo.org/packages/net-im/zoom |