1 |
A day ago I wrote: |
2 |
|
3 |
> At 2004-11-11 00:00:00 CET this article hits a rather |
4 |
> popular public full-disclosure mailing list. |
5 |
|
6 |
The problem with making predictions about by when you'll |
7 |
have finished something is that you are always wrong. This |
8 |
is no exception. So please don't be surprised if it won't be |
9 |
_exactly_ midnight. :-) |
10 |
|
11 |
I figured I'd better say it now to avoid receiving lots of |
12 |
e-mails from people telling me that I wouldn't know what |
13 |
time zone CET is. |
14 |
|
15 |
Anyway, since there is apparently no more need to discuss |
16 |
this problem with the "community" -- or at least not on this |
17 |
mailing list --, I'd like to take the liberty of adding a |
18 |
few short closing remarks concerning this whole issue. |
19 |
|
20 |
By now I have stopped counting the number of people who have |
21 |
called me a public stink, a troublemaker, and whatnot else. |
22 |
To those who have, I'd like to suggest that you check out a |
23 |
medieval concept called "hang the messenger". You are |
24 |
misunderstanding something. Not the people who draw |
25 |
attention to a vulnerability are causing trouble, the |
26 |
_vulnerability_ is causing trouble. So instead of attacking |
27 |
those who are concerned about the lack of authentication in |
28 |
Gentoo's distribution process, you should, well, fix the |
29 |
lack of authentication in Gentoo's distribution process. I |
30 |
wouldn't have thought it was possible, but apparently some |
31 |
people really need that spelled out for them. |
32 |
|
33 |
Furthermore, several people have complained that I would be |
34 |
too confrontational and that I should phrase my messages |
35 |
more politely if I wanted something to happen about this. |
36 |
Here is a nice analogy that IMHO puts that into perspective: |
37 |
You are a car manufacturer and you receive a phone call from |
38 |
someone who informs you that the breaks in your latest model |
39 |
have a design flaw that may result in them failing, thus |
40 |
potentially killing all passengers. And the person who |
41 |
reports this is really, really rude. Does that mean you |
42 |
shouldn't fix you breaks? |
43 |
|
44 |
Oh, and if you think about blowing up on me now because I |
45 |
implied that the Gentoo developers didn't care about |
46 |
security: You should really work on your reading |
47 |
comprehension. |
48 |
|
49 |
The reason why I am being confrontational is that if I |
50 |
hadn't been, NOTHING WOULD HAVE HAPPENED! |
51 |
|
52 |
Oh, and if you think about blowing up on me know because |
53 |
that would not be true ... then you might want to check the |
54 |
date of the first time this problem was reported. |
55 |
|
56 |
Last but not least I cannot help but notice a curious |
57 |
asymmetry in the way security issues are handled by Gentoo. |
58 |
It appears that the Gentoo developers are a lot more |
59 |
forthcoming when it comes to pointing out and fixing |
60 |
security vulnerabilities in upstream packages (a.k.a. |
61 |
_other_ people's code) than they are when it comes to |
62 |
admitting to and fixing problems in their own code. |
63 |
|
64 |
Oh -- you knew this were coming, right? --, if you think |
65 |
about blowing up on me know because I just implied that some |
66 |
people on this mailing list have a MASSIVE ego problem ... |
67 |
then go ahead. I did. |
68 |
|
69 |
Having properly antagonized everyone, there remains nothing |
70 |
left to say. So I'll let some other people speak the last |
71 |
words. Really, this whole thread has been a diamond mine for |
72 |
quotes to be readily used on all kinds of occasions. Here |
73 |
are my personal favorites: |
74 |
|
75 |
| I explicitly said that signing should be implemented! I |
76 |
| only disagree with the statement that it is a strong |
77 |
| security measure or that it's lack is a great danger to |
78 |
| Gentoo users. |
79 |
|
80 |
-- Marc Ballarin <Ballarin.Marc@×××.de> |
81 |
http://article.gmane.org/gmane.linux.gentoo.security/1727 |
82 |
|
83 |
|
84 |
| I wouldn't waste [my time] hypothesizing about a man in |
85 |
| the middle attack. While MOTM attacks are theoretically |
86 |
| possible on many many protocols, they are *not* a |
87 |
| serious threat [...]. |
88 |
|
89 |
-- Brian G. Peterson <brian@×××××××××.com> |
90 |
http://article.gmane.org/gmane.linux.gentoo.security/1771 |
91 |
|
92 |
Peter |
93 |
|
94 |
|
95 |
-- |
96 |
gentoo-security@g.o mailing list |