| 1 |
On Sun, Nov 07, 2004 at 03:40:46PM +0000, Kurt Lieber wrote: |
| 2 |
> As another poster already noted, of course it is, but it's not specific to |
| 3 |
> Gentoo. What happens if the server hosting the master repository of glibc |
| 4 |
> gets compromised? How do you know that hasn't already happened and there's |
| 5 |
> back doors galore on your machine right now? That may seem like a |
| 6 |
> smart-ass question, but stop for a moment and consider it seriously. How |
| 7 |
> do you *KNOW* that there are no backdoors in the version of glibc on your |
| 8 |
> computer right now? |
| 9 |
|
| 10 |
You don't. But that's like saying there's no point in closing the front |
| 11 |
door since the bedroom window might be open. If the front door is closed |
| 12 |
and locked, then at least we can pay more attention to the open window. |
| 13 |
|
| 14 |
Plus, the glibc ebuild maintainer should be tracking the changes. He knows |
| 15 |
what's going on in glibc land, he knows the build process, he should be |
| 16 |
in touch with the main developers, and he should be reading the diffs. |
| 17 |
|
| 18 |
If he doesn't have the time or skill to do that, he can at least compare |
| 19 |
against the work of people who do, such as the source packages of Debian |
| 20 |
or Fedora Core. It is pretty easy to do a diff. |
| 21 |
|
| 22 |
Plus #2: both the glibc tarballs and the source packages of other distros |
| 23 |
are signed. The glibc maintainer should have all those signatures on hand, |
| 24 |
if needed, and be verifying them all before he puts the entire Gentoo |
| 25 |
user base at risk. |
| 26 |
|
| 27 |
I think this point is a red herring. |
| 28 |
|
| 29 |
> > (2) Are there plans for getting it fixed? |
| 30 |
> |
| 31 |
> We already implemented a major change nearly a year ago by moving |
| 32 |
> 'rsync.gentoo.org' onto servers that are managed by the Gentoo team. |
| 33 |
> Previously, we relied on community mirrors which worked well, but didn't |
| 34 |
> allow us to ensure the servers were all held to the same high security |
| 35 |
> standard. |
| 36 |
|
| 37 |
Excellent. |
| 38 |
|
| 39 |
> We've also taken a number of other steps to mitigate this type of exposure |
| 40 |
> including getting GPG signing into portage and the creation of an auditing |
| 41 |
> project which reviews the ebuilds and code used in our distribution. |
| 42 |
|
| 43 |
Fantastic. |
| 44 |
|
| 45 |
> > I have read some of the material Alexander hyper-linked to |
| 46 |
> > and, frankly, most of it is outright frightening. |
| 47 |
> |
| 48 |
> Then you should immediately unplug your computer from the internet. The |
| 49 |
> minute you jack in, you're accepting some level of risk. That's just the |
| 50 |
> nature of the beast. |
| 51 |
|
| 52 |
That's rather condescending. |
| 53 |
|
| 54 |
I would instead recommend that he compare Gentoo to other distros that take |
| 55 |
package signing more seriously. It may be that the features and benefits |
| 56 |
of a source-based distro like Gentoo outweigh the need for signed ebuilds, |
| 57 |
like it does for me on one of my machines. But it also may mean that |
| 58 |
some machines require the security and peace of mind of another distro's |
| 59 |
signing practices and verification policies. Other machines I admin |
| 60 |
fall into this category as well. |
| 61 |
|
| 62 |
- Chris |
| 63 |
|
| 64 |
|
| 65 |
-- |
| 66 |
gentoo-security@g.o mailing list |
Archives