| 1 |
On Thu, Nov 11, 2004 at 07:23:49PM +0100 or thereabouts, Peter Simons wrote: |
| 2 |
> And what pisses me off is not that _I_ have been treated |
| 3 |
> somewhat unfriendly here on this list, it is that "some" |
| 4 |
> guys are recklessly ignoring a security vulnerability that |
| 5 |
> threatens your users -- no matter how minor the risk may be. |
| 6 |
|
| 7 |
Nobody is recklessly ignoring anything. I suggested an option which will |
| 8 |
give those users that care the ability to verify the contents of every |
| 9 |
single file under /usr/portage. Namely, signing the daily snapshots of the |
| 10 |
tree. You indicated that you didn't think this was sufficient and that |
| 11 |
instead, you wanted hashes generated of every file in the tree because |
| 12 |
otherwise, "regular" users would be unprotected. |
| 13 |
|
| 14 |
What was unclear about your request is how the functionality was going to |
| 15 |
be integrated into 'emerge sync'. Are you expecting the portage devs to |
| 16 |
drop everything and integrate that functionality immediately? |
| 17 |
|
| 18 |
What is also unclear is why the first option is insufficient. You stated a |
| 19 |
requirement to be able to verify the integrity and authenticity of every |
| 20 |
file under /usr/portage/ to ensure that no MIM attacks were taking place. |
| 21 |
The suggestion of signing snapshots meets that requirement in every way and |
| 22 |
does it in a way that introduces very little risk to our system. |
| 23 |
|
| 24 |
> If that is not on-topic here, and I wonder what is. |
| 25 |
|
| 26 |
I've never said your posts were off-topic. I said you were attacking |
| 27 |
people -- not just Gentoo developers, but other users. Please do not |
| 28 |
attack the members of this list. |
| 29 |
|
| 30 |
--kurt |
Archives