| 1 |
On Sun, 7 Nov 2004, Brian Bilbrey wrote: |
| 2 |
|
| 3 |
> Peter Simons wrote: |
| 4 |
> > So if you guys would like to be the laughing stock of the |
| 5 |
> > free software community once this vulnerability is exploited |
| 6 |
> > for the first time, all I say is: Be my guest. |
| 7 |
> |
| 8 |
> How is this NOT a problem with every distribution that offers downloads |
| 9 |
> ... oh, that's right ... ALL of them? Yep. |
| 10 |
|
| 11 |
Based on some comments I've read from others in this discussion, not |
| 12 |
Debian. I suspect there may be others, but, quite frankly, I'm not |
| 13 |
following many distributions right now. |
| 14 |
|
| 15 |
> Instead of a bunch of hounds baying at the Gentoo devs, who do what they |
| 16 |
> do without much in the way of remuneration, and who have absolutely the |
| 17 |
> best intentions and concern for the user base ... why not HELP them |
| 18 |
> design a tool that can help ameliorate the risk to some acceptable level. |
| 19 |
> |
| 20 |
> I'll agree that having signed files will be a step forward in security, |
| 21 |
> but also ack that in the larger scheme of things, it means little. But |
| 22 |
> progress in a forward direction is always a good thing. Now, how about |
| 23 |
> an independent signature/hash of the entire portage tree? |
| 24 |
|
| 25 |
RSYNC_EXCLUDEFROM. |
| 26 |
|
| 27 |
A signature on the entire portage is only useful if people download the |
| 28 |
entire portage. Further, since you're having this performed by the |
| 29 |
server, if one compromised that server, they could compromise all Gentoo |
| 30 |
systems. Finally, it means that one can only apply changes to the |
| 31 |
master rsync server once an hour, and it takes up a fairly large amount |
| 32 |
of resources when that happens. |
| 33 |
|
| 34 |
Admittedly, that's assuming that the Gentoo baselayout maintainers have |
| 35 |
resonably secure system - after all, no matter what, compromising a |
| 36 |
baselayout maintainer's system, or to a lesser extent, any core herd |
| 37 |
member's system, gives access to the whole pie. But there isn't |
| 38 |
anything that can be done about that, other than making certain that |
| 39 |
they're educated on security practices and follow them. |
| 40 |
|
| 41 |
|
| 42 |
So how is it that having the Manifest files all signed, and having the |
| 43 |
Manifest signatures checked, and checking all the MD5 sums in the |
| 44 |
Manifest files against the files in the directories only a partial |
| 45 |
answer? What openings remain for illicit content to make its way onto |
| 46 |
the servers, without having gone through a dev? |
| 47 |
|
| 48 |
Ed |
| 49 |
|
| 50 |
-- |
| 51 |
gentoo-security@g.o mailing list |
Archives