1 |
On Sun, 7 Nov 2004, Brian Bilbrey wrote: |
2 |
|
3 |
> Peter Simons wrote: |
4 |
> > So if you guys would like to be the laughing stock of the |
5 |
> > free software community once this vulnerability is exploited |
6 |
> > for the first time, all I say is: Be my guest. |
7 |
> |
8 |
> How is this NOT a problem with every distribution that offers downloads |
9 |
> ... oh, that's right ... ALL of them? Yep. |
10 |
|
11 |
Based on some comments I've read from others in this discussion, not |
12 |
Debian. I suspect there may be others, but, quite frankly, I'm not |
13 |
following many distributions right now. |
14 |
|
15 |
> Instead of a bunch of hounds baying at the Gentoo devs, who do what they |
16 |
> do without much in the way of remuneration, and who have absolutely the |
17 |
> best intentions and concern for the user base ... why not HELP them |
18 |
> design a tool that can help ameliorate the risk to some acceptable level. |
19 |
> |
20 |
> I'll agree that having signed files will be a step forward in security, |
21 |
> but also ack that in the larger scheme of things, it means little. But |
22 |
> progress in a forward direction is always a good thing. Now, how about |
23 |
> an independent signature/hash of the entire portage tree? |
24 |
|
25 |
RSYNC_EXCLUDEFROM. |
26 |
|
27 |
A signature on the entire portage is only useful if people download the |
28 |
entire portage. Further, since you're having this performed by the |
29 |
server, if one compromised that server, they could compromise all Gentoo |
30 |
systems. Finally, it means that one can only apply changes to the |
31 |
master rsync server once an hour, and it takes up a fairly large amount |
32 |
of resources when that happens. |
33 |
|
34 |
Admittedly, that's assuming that the Gentoo baselayout maintainers have |
35 |
resonably secure system - after all, no matter what, compromising a |
36 |
baselayout maintainer's system, or to a lesser extent, any core herd |
37 |
member's system, gives access to the whole pie. But there isn't |
38 |
anything that can be done about that, other than making certain that |
39 |
they're educated on security practices and follow them. |
40 |
|
41 |
|
42 |
So how is it that having the Manifest files all signed, and having the |
43 |
Manifest signatures checked, and checking all the MD5 sums in the |
44 |
Manifest files against the files in the directories only a partial |
45 |
answer? What openings remain for illicit content to make its way onto |
46 |
the servers, without having gone through a dev? |
47 |
|
48 |
Ed |
49 |
|
50 |
-- |
51 |
gentoo-security@g.o mailing list |