1 |
epistula illius Dan Margolis profluit verbis: |
2 |
> [...] |
3 |
> Yes, this has the basic assumption that the private key is secure, but |
4 |
> all secure systems make a few basic assumptions, so this is hardly |
5 |
> unprecedented (we cannot thoroughly prove the security of RSA, and we |
6 |
> often can't even come close for symmetric-key systems), but that |
7 |
> doesn't mean that they have inherently zero value. I find that sort of |
8 |
> argument to be quite flawed, because it's essentially saying, ``Well, |
9 |
> nothing is provably secure, so why even have secure systems?'' |
10 |
> [...] |
11 |
|
12 |
Sorry, but i completely disagree. Guidelines exist. The "weakest link" and |
13 |
"general participation" strategy base is lacking, signed ebuilds or not. |
14 |
I could open some - as ist seems - "usefull" sourceforge-project and |
15 |
inject any "additional" code on gentoo systems, while submitting a |
16 |
perfectly "legal" ebuild, signed to "heavenly" trust. Will security |
17 |
developers check the source? Will the users do it? It's just one possible |
18 |
"leak", but it's the first one. So where is the security? It's gone, |
19 |
since nobody actually can nor could foresee or calculate anything as long |
20 |
as there is no global code auditing implemented. |
21 |
|
22 |
Good will, ideas, step by step implemented - apreciated. Maybe many |
23 |
$PROJECTS would "follow". But one fact remains: the complete process has |
24 |
to be dealt with: from source-generation over distribution to |
25 |
installation. And as long as it's not completely done, security is not |
26 |
calculable and therefore "zero". So dealing with signed ebuilds |
27 |
securitywise is like dealing with signs on the frontdoor saying "this |
28 |
house is safe". |
29 |
|
30 |
My 2 cents ... |
31 |
|
32 |
-- |
33 |
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
34 |
eMail: awaschb@××××.de |
35 |
|
36 |
Said the attractive, cigar-smoking housewife to her girl-friend: "I got |
37 |
started one night when George came home and found one burning in the |
38 |
ashtray." |