| 1 |
On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri <lssndrbarbieri@×××××.com> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> I have concerns about the inclusion of zoom in ::gentoo. For me it's more |
| 5 |
> like a malware. |
| 6 |
> From the hacker news feed you'll find out that: |
| 7 |
> |
| 8 |
|
| 9 |
> [1] zero day vulnerability found |
| 10 |
> |
| 11 |
[2] passwords are truncated to 32 bit |
| 12 |
> |
| 13 |
[3] previously sent data to facebook |
| 14 |
> |
| 15 |
[4] end to end traffic isn't encrypted |
| 16 |
> [5] signed binary run unsigned script |
| 17 |
> |
| 18 |
> |
| 19 |
[1], [2], [5] all seem like bugs and I'd expect upstream to fix at least |
| 20 |
[1] and [5]. Note that in Gentoo [3] isn't directly relevant (this isn't |
| 21 |
iOS) and neither is [5] in most cases as people don't run signed binaries |
| 22 |
or use any kind of binary whitelisting in Gentoo. |
| 23 |
|
| 24 |
[2] I think the article mentions the truncation is to 32 bytes (or '32 |
| 25 |
chars', but I assume each char is 1 byte for entropy sake.); not 32 bits. |
| 26 |
Most password fields have a length limit (you cannot accept arbitrary long |
| 27 |
passwords. If 32 characters isn't enough length to protect users then the |
| 28 |
passwords are going to be useless anyway; most user passwords are |
| 29 |
significantly less than 32 characters. This is significantly different than |
| 30 |
limited to '32 bits' (which is 4 characters!) and would make brute forcing |
| 31 |
passwords an obvious breeze; there is not sufficient entropy in 32 bits to |
| 32 |
protect users. |
| 33 |
|
| 34 |
[4] I agree the poor marketing is a problem. I think as Rich states later |
| 35 |
in the thread it's possible we could provide more information here. As he |
| 36 |
notes though, I'm not convinced this is reason not to package the software |
| 37 |
in Gentoo from a policy perspective. |
| 38 |
|
| 39 |
In general I expect that as long as Zoom has a gentoo maintainer and |
| 40 |
upstream actually resolves outstanding security issues; I'm not really |
| 41 |
aware of any policy hurdles they need to overcome to stay packaged in |
| 42 |
Gentoo. Currently it has three maintainers[6]. If it sucks, convince them |
| 43 |
to stop maintaining it ;) |
| 44 |
|
| 45 |
-A |
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
> 1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1 |
| 50 |
> 2 https://news.ycombinator.com/item?id=22749706 |
| 51 |
> 3 |
| 52 |
> https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook |
| 53 |
> 4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ |
| 54 |
> 5 https://news.ycombinator.com/item?id=22746764 |
| 55 |
> |
| 56 |
|
| 57 |
[6] https://packages.gentoo.org/packages/net-im/zoom |
Archives