| 1 |
A day ago I wrote: |
| 2 |
|
| 3 |
> At 2004-11-11 00:00:00 CET this article hits a rather |
| 4 |
> popular public full-disclosure mailing list. |
| 5 |
|
| 6 |
The problem with making predictions about by when you'll |
| 7 |
have finished something is that you are always wrong. This |
| 8 |
is no exception. So please don't be surprised if it won't be |
| 9 |
_exactly_ midnight. :-) |
| 10 |
|
| 11 |
I figured I'd better say it now to avoid receiving lots of |
| 12 |
e-mails from people telling me that I wouldn't know what |
| 13 |
time zone CET is. |
| 14 |
|
| 15 |
Anyway, since there is apparently no more need to discuss |
| 16 |
this problem with the "community" -- or at least not on this |
| 17 |
mailing list --, I'd like to take the liberty of adding a |
| 18 |
few short closing remarks concerning this whole issue. |
| 19 |
|
| 20 |
By now I have stopped counting the number of people who have |
| 21 |
called me a public stink, a troublemaker, and whatnot else. |
| 22 |
To those who have, I'd like to suggest that you check out a |
| 23 |
medieval concept called "hang the messenger". You are |
| 24 |
misunderstanding something. Not the people who draw |
| 25 |
attention to a vulnerability are causing trouble, the |
| 26 |
_vulnerability_ is causing trouble. So instead of attacking |
| 27 |
those who are concerned about the lack of authentication in |
| 28 |
Gentoo's distribution process, you should, well, fix the |
| 29 |
lack of authentication in Gentoo's distribution process. I |
| 30 |
wouldn't have thought it was possible, but apparently some |
| 31 |
people really need that spelled out for them. |
| 32 |
|
| 33 |
Furthermore, several people have complained that I would be |
| 34 |
too confrontational and that I should phrase my messages |
| 35 |
more politely if I wanted something to happen about this. |
| 36 |
Here is a nice analogy that IMHO puts that into perspective: |
| 37 |
You are a car manufacturer and you receive a phone call from |
| 38 |
someone who informs you that the breaks in your latest model |
| 39 |
have a design flaw that may result in them failing, thus |
| 40 |
potentially killing all passengers. And the person who |
| 41 |
reports this is really, really rude. Does that mean you |
| 42 |
shouldn't fix you breaks? |
| 43 |
|
| 44 |
Oh, and if you think about blowing up on me now because I |
| 45 |
implied that the Gentoo developers didn't care about |
| 46 |
security: You should really work on your reading |
| 47 |
comprehension. |
| 48 |
|
| 49 |
The reason why I am being confrontational is that if I |
| 50 |
hadn't been, NOTHING WOULD HAVE HAPPENED! |
| 51 |
|
| 52 |
Oh, and if you think about blowing up on me know because |
| 53 |
that would not be true ... then you might want to check the |
| 54 |
date of the first time this problem was reported. |
| 55 |
|
| 56 |
Last but not least I cannot help but notice a curious |
| 57 |
asymmetry in the way security issues are handled by Gentoo. |
| 58 |
It appears that the Gentoo developers are a lot more |
| 59 |
forthcoming when it comes to pointing out and fixing |
| 60 |
security vulnerabilities in upstream packages (a.k.a. |
| 61 |
_other_ people's code) than they are when it comes to |
| 62 |
admitting to and fixing problems in their own code. |
| 63 |
|
| 64 |
Oh -- you knew this were coming, right? --, if you think |
| 65 |
about blowing up on me know because I just implied that some |
| 66 |
people on this mailing list have a MASSIVE ego problem ... |
| 67 |
then go ahead. I did. |
| 68 |
|
| 69 |
Having properly antagonized everyone, there remains nothing |
| 70 |
left to say. So I'll let some other people speak the last |
| 71 |
words. Really, this whole thread has been a diamond mine for |
| 72 |
quotes to be readily used on all kinds of occasions. Here |
| 73 |
are my personal favorites: |
| 74 |
|
| 75 |
| I explicitly said that signing should be implemented! I |
| 76 |
| only disagree with the statement that it is a strong |
| 77 |
| security measure or that it's lack is a great danger to |
| 78 |
| Gentoo users. |
| 79 |
|
| 80 |
-- Marc Ballarin <Ballarin.Marc@×××.de> |
| 81 |
http://article.gmane.org/gmane.linux.gentoo.security/1727 |
| 82 |
|
| 83 |
|
| 84 |
| I wouldn't waste [my time] hypothesizing about a man in |
| 85 |
| the middle attack. While MOTM attacks are theoretically |
| 86 |
| possible on many many protocols, they are *not* a |
| 87 |
| serious threat [...]. |
| 88 |
|
| 89 |
-- Brian G. Peterson <brian@×××××××××.com> |
| 90 |
http://article.gmane.org/gmane.linux.gentoo.security/1771 |
| 91 |
|
| 92 |
Peter |
| 93 |
|
| 94 |
|
| 95 |
-- |
| 96 |
gentoo-security@g.o mailing list |
Archives