| 1 |
epistula illius Dan Margolis profluit verbis: |
| 2 |
> [...] |
| 3 |
> Yes, this has the basic assumption that the private key is secure, but |
| 4 |
> all secure systems make a few basic assumptions, so this is hardly |
| 5 |
> unprecedented (we cannot thoroughly prove the security of RSA, and we |
| 6 |
> often can't even come close for symmetric-key systems), but that |
| 7 |
> doesn't mean that they have inherently zero value. I find that sort of |
| 8 |
> argument to be quite flawed, because it's essentially saying, ``Well, |
| 9 |
> nothing is provably secure, so why even have secure systems?'' |
| 10 |
> [...] |
| 11 |
|
| 12 |
Sorry, but i completely disagree. Guidelines exist. The "weakest link" and |
| 13 |
"general participation" strategy base is lacking, signed ebuilds or not. |
| 14 |
I could open some - as ist seems - "usefull" sourceforge-project and |
| 15 |
inject any "additional" code on gentoo systems, while submitting a |
| 16 |
perfectly "legal" ebuild, signed to "heavenly" trust. Will security |
| 17 |
developers check the source? Will the users do it? It's just one possible |
| 18 |
"leak", but it's the first one. So where is the security? It's gone, |
| 19 |
since nobody actually can nor could foresee or calculate anything as long |
| 20 |
as there is no global code auditing implemented. |
| 21 |
|
| 22 |
Good will, ideas, step by step implemented - apreciated. Maybe many |
| 23 |
$PROJECTS would "follow". But one fact remains: the complete process has |
| 24 |
to be dealt with: from source-generation over distribution to |
| 25 |
installation. And as long as it's not completely done, security is not |
| 26 |
calculable and therefore "zero". So dealing with signed ebuilds |
| 27 |
securitywise is like dealing with signs on the frontdoor saying "this |
| 28 |
house is safe". |
| 29 |
|
| 30 |
My 2 cents ... |
| 31 |
|
| 32 |
-- |
| 33 |
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
| 34 |
eMail: awaschb@××××.de |
| 35 |
|
| 36 |
Said the attractive, cigar-smoking housewife to her girl-friend: "I got |
| 37 |
started one night when George came home and found one burning in the |
| 38 |
ashtray." |
Archives