| 1 |
On Monday 08 November 2004 07:47 am, Peter Simons wrote: |
| 2 |
> Since most of you seem to be believe that the bug is really |
| 3 |
> not that serious, I am certain this will worry you not in |
| 4 |
> the least. |
| 5 |
|
| 6 |
I assume that you intend to 'blow the whistle' because you are incapable or |
| 7 |
unwilling to submit a patch for the issue yourself? |
| 8 |
|
| 9 |
I agree that there is a lot of room for improvement in the portage security |
| 10 |
system. Signed ebuilds are a good start, but without ways to verify those |
| 11 |
signatures from a second source (presumably a different portage mirror), |
| 12 |
signed ebuilds don't buy much security. |
| 13 |
|
| 14 |
I wouldn't waste your time hypothesizing about a man in the middle attack. |
| 15 |
While MOTM attacks are theoretically possible on many many protocols, they |
| 16 |
are *not* a serious threat, because of the scale on which they must be |
| 17 |
undertaken, and the general care taken to keep core routers secure. Small |
| 18 |
scale MOTM attacks (like from a disgruntled employee) are certainly more |
| 19 |
feasible, and more common, but still require a fair degree of sophisication. |
| 20 |
Such an attacker for a small-scale MOTM attack probably has the |
| 21 |
sophistication to undertake a different, easier exploit. |
| 22 |
|
| 23 |
Others have already pointed out that Gentoo is a community based distribution. |
| 24 |
We help each other. Picking fights with volunteers has probably taken about |
| 25 |
as much time as it would have taken you to look at the python code and at |
| 26 |
least propose a code *design* for a patch, even if you can't code it |
| 27 |
yourself. |
| 28 |
|
| 29 |
Regards, |
| 30 |
|
| 31 |
- Brian |
| 32 |
|
| 33 |
-- |
| 34 |
gentoo-security@g.o mailing list |
Archives