1 |
On Monday 08 November 2004 07:47 am, Peter Simons wrote: |
2 |
> Since most of you seem to be believe that the bug is really |
3 |
> not that serious, I am certain this will worry you not in |
4 |
> the least. |
5 |
|
6 |
I assume that you intend to 'blow the whistle' because you are incapable or |
7 |
unwilling to submit a patch for the issue yourself? |
8 |
|
9 |
I agree that there is a lot of room for improvement in the portage security |
10 |
system. Signed ebuilds are a good start, but without ways to verify those |
11 |
signatures from a second source (presumably a different portage mirror), |
12 |
signed ebuilds don't buy much security. |
13 |
|
14 |
I wouldn't waste your time hypothesizing about a man in the middle attack. |
15 |
While MOTM attacks are theoretically possible on many many protocols, they |
16 |
are *not* a serious threat, because of the scale on which they must be |
17 |
undertaken, and the general care taken to keep core routers secure. Small |
18 |
scale MOTM attacks (like from a disgruntled employee) are certainly more |
19 |
feasible, and more common, but still require a fair degree of sophisication. |
20 |
Such an attacker for a small-scale MOTM attack probably has the |
21 |
sophistication to undertake a different, easier exploit. |
22 |
|
23 |
Others have already pointed out that Gentoo is a community based distribution. |
24 |
We help each other. Picking fights with volunteers has probably taken about |
25 |
as much time as it would have taken you to look at the python code and at |
26 |
least propose a code *design* for a patch, even if you can't code it |
27 |
yourself. |
28 |
|
29 |
Regards, |
30 |
|
31 |
- Brian |
32 |
|
33 |
-- |
34 |
gentoo-security@g.o mailing list |