1 |
On Sun, Nov 07, 2004 at 03:40:46PM +0000, Kurt Lieber wrote: |
2 |
> As another poster already noted, of course it is, but it's not specific to |
3 |
> Gentoo. What happens if the server hosting the master repository of glibc |
4 |
> gets compromised? How do you know that hasn't already happened and there's |
5 |
> back doors galore on your machine right now? That may seem like a |
6 |
> smart-ass question, but stop for a moment and consider it seriously. How |
7 |
> do you *KNOW* that there are no backdoors in the version of glibc on your |
8 |
> computer right now? |
9 |
|
10 |
You don't. But that's like saying there's no point in closing the front |
11 |
door since the bedroom window might be open. If the front door is closed |
12 |
and locked, then at least we can pay more attention to the open window. |
13 |
|
14 |
Plus, the glibc ebuild maintainer should be tracking the changes. He knows |
15 |
what's going on in glibc land, he knows the build process, he should be |
16 |
in touch with the main developers, and he should be reading the diffs. |
17 |
|
18 |
If he doesn't have the time or skill to do that, he can at least compare |
19 |
against the work of people who do, such as the source packages of Debian |
20 |
or Fedora Core. It is pretty easy to do a diff. |
21 |
|
22 |
Plus #2: both the glibc tarballs and the source packages of other distros |
23 |
are signed. The glibc maintainer should have all those signatures on hand, |
24 |
if needed, and be verifying them all before he puts the entire Gentoo |
25 |
user base at risk. |
26 |
|
27 |
I think this point is a red herring. |
28 |
|
29 |
> > (2) Are there plans for getting it fixed? |
30 |
> |
31 |
> We already implemented a major change nearly a year ago by moving |
32 |
> 'rsync.gentoo.org' onto servers that are managed by the Gentoo team. |
33 |
> Previously, we relied on community mirrors which worked well, but didn't |
34 |
> allow us to ensure the servers were all held to the same high security |
35 |
> standard. |
36 |
|
37 |
Excellent. |
38 |
|
39 |
> We've also taken a number of other steps to mitigate this type of exposure |
40 |
> including getting GPG signing into portage and the creation of an auditing |
41 |
> project which reviews the ebuilds and code used in our distribution. |
42 |
|
43 |
Fantastic. |
44 |
|
45 |
> > I have read some of the material Alexander hyper-linked to |
46 |
> > and, frankly, most of it is outright frightening. |
47 |
> |
48 |
> Then you should immediately unplug your computer from the internet. The |
49 |
> minute you jack in, you're accepting some level of risk. That's just the |
50 |
> nature of the beast. |
51 |
|
52 |
That's rather condescending. |
53 |
|
54 |
I would instead recommend that he compare Gentoo to other distros that take |
55 |
package signing more seriously. It may be that the features and benefits |
56 |
of a source-based distro like Gentoo outweigh the need for signed ebuilds, |
57 |
like it does for me on one of my machines. But it also may mean that |
58 |
some machines require the security and peace of mind of another distro's |
59 |
signing practices and verification policies. Other machines I admin |
60 |
fall into this category as well. |
61 |
|
62 |
- Chris |
63 |
|
64 |
|
65 |
-- |
66 |
gentoo-security@g.o mailing list |