Gentoo Archives: gentoo-security

From: Peter Simons <simons@××××.to>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Out of air (was: Let's blow the whistle)
Date: Wed, 10 Nov 2004 01:21:43
1 A day ago I wrote:
3 > At 2004-11-11 00:00:00 CET this article hits a rather
4 > popular public full-disclosure mailing list.
6 The problem with making predictions about by when you'll
7 have finished something is that you are always wrong. This
8 is no exception. So please don't be surprised if it won't be
9 _exactly_ midnight. :-)
11 I figured I'd better say it now to avoid receiving lots of
12 e-mails from people telling me that I wouldn't know what
13 time zone CET is.
15 Anyway, since there is apparently no more need to discuss
16 this problem with the "community" -- or at least not on this
17 mailing list --, I'd like to take the liberty of adding a
18 few short closing remarks concerning this whole issue.
20 By now I have stopped counting the number of people who have
21 called me a public stink, a troublemaker, and whatnot else.
22 To those who have, I'd like to suggest that you check out a
23 medieval concept called "hang the messenger". You are
24 misunderstanding something. Not the people who draw
25 attention to a vulnerability are causing trouble, the
26 _vulnerability_ is causing trouble. So instead of attacking
27 those who are concerned about the lack of authentication in
28 Gentoo's distribution process, you should, well, fix the
29 lack of authentication in Gentoo's distribution process. I
30 wouldn't have thought it was possible, but apparently some
31 people really need that spelled out for them.
33 Furthermore, several people have complained that I would be
34 too confrontational and that I should phrase my messages
35 more politely if I wanted something to happen about this.
36 Here is a nice analogy that IMHO puts that into perspective:
37 You are a car manufacturer and you receive a phone call from
38 someone who informs you that the breaks in your latest model
39 have a design flaw that may result in them failing, thus
40 potentially killing all passengers. And the person who
41 reports this is really, really rude. Does that mean you
42 shouldn't fix you breaks?
44 Oh, and if you think about blowing up on me now because I
45 implied that the Gentoo developers didn't care about
46 security: You should really work on your reading
47 comprehension.
49 The reason why I am being confrontational is that if I
52 Oh, and if you think about blowing up on me know because
53 that would not be true ... then you might want to check the
54 date of the first time this problem was reported.
56 Last but not least I cannot help but notice a curious
57 asymmetry in the way security issues are handled by Gentoo.
58 It appears that the Gentoo developers are a lot more
59 forthcoming when it comes to pointing out and fixing
60 security vulnerabilities in upstream packages (a.k.a.
61 _other_ people's code) than they are when it comes to
62 admitting to and fixing problems in their own code.
64 Oh -- you knew this were coming, right? --, if you think
65 about blowing up on me know because I just implied that some
66 people on this mailing list have a MASSIVE ego problem ...
67 then go ahead. I did.
69 Having properly antagonized everyone, there remains nothing
70 left to say. So I'll let some other people speak the last
71 words. Really, this whole thread has been a diamond mine for
72 quotes to be readily used on all kinds of occasions. Here
73 are my personal favorites:
75 | I explicitly said that signing should be implemented! I
76 | only disagree with the statement that it is a strong
77 | security measure or that it's lack is a great danger to
78 | Gentoo users.
80 -- Marc Ballarin <Ballarin.Marc@×××.de>
84 | I wouldn't waste [my time] hypothesizing about a man in
85 | the middle attack. While MOTM attacks are theoretically
86 | possible on many many protocols, they are *not* a
87 | serious threat [...].
89 -- Brian G. Peterson <brian@×××××××××.com>
92 Peter
95 --
96 gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Out of air (was: Let's blow the whistle) Jason Stubbs <jstubbs@××××××××××.jp>
Re: [gentoo-security] Out of air RNuno <glist@×××××××××.pt>