Gentoo Archives: gentoo-security

From: Thierry Carrez <koon@g.o>
To:
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Let's wrap this up shall we...
Date: Wed, 10 Nov 2004 09:44:01
Message-Id: 4191E2C3.1080304@gentoo.org
In Reply to: [gentoo-security] Let's wrap this up shall we... by Den
1 Den wrote:
2
3 > by not giving our here friend's Peter the attention he so crave.
4 >
5 > Obviously he has nothing better to do than to bait people into flaming
6 > him publicly or privately since it enables him the luxury of venting
7 > through his replies.
8 >
9 > As my good ole mother use to say: "just be wiser than your nagging
10 > brother: ignore him, he'll eventually go away"
11 >
12 > So let's ignore this problem and focus on the real one: coding ourselves
13 > the best portage tree signing Peter could not himself do while he blows
14 > his own little whistle on someone else's list.
15 >
16 > On your mark, ready, filter :P
17
18 I think this thread wasn't completely useless. Hopefully it will help
19 speed up the implementation of the final and complete solution we've
20 underway since a long time.
21
22 This solution, nobody complained here it wasn't good. The only complaint
23 we heard was that it wasn't implemented fast enough. That's already a
24 big improvement... the last time this was brought up in gentoo-dev there
25 was another endless thread where everyone was telling THEIR solution was
26 the best. Good thing we finally reached consensus on what is the best
27 solution.
28
29 I'm pretty sure almost all Gentoo developers subscribed to this
30 particular list (gentoo-security) already do all they can so that this
31 final solution gets implemented the fastest possible. So yelling at
32 Gentoo developers here won't speed up anything. There are other
33 developers out there that don't think this is top-priority. They are the
34 one this thread should evangelize. And no, yelling at people is not the
35 best way to do evangelization.
36
37 This has been a long-term effort, and finally we're seeing good
38 progress, with portage signing support in 2.0.51 deployed. Having a
39 band-aid deployed as a temporary workaround while we're in the last
40 rounds will only delay further adoption of the one and real true
41 solution. If it's deployed, we'll have quite a bunch of devs saying
42 there is no need for them to create a package signing key since
43 everything is now "secure" thanks to this genius solution. It will
44 likely double the time needed for the final and complete (and auditable)
45 solution to be deployed.
46
47 Now that's a tradeoff.
48
49 --
50 Thierry Carrez
51 Operational Manager, Gentoo Linux Security

Attachments

File name MIME type
signature.asc application/pgp-signature