| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Peter Simons wrote: |
| 5 |
> Hans-Werner Hilse writes: |
| 6 |
> |
| 7 |
> > But i doubt that you really manage to hack up my BIND, |
| 8 |
> > place a transparent proxy in my connection to the net or |
| 9 |
> > convince me to use your fake mirror. |
| 10 |
> |
| 11 |
> Step #1: The problem doesn't exist. |
| 12 |
> |
| 13 |
> Step #2: The problem may exist, but it isn't exploitable. |
| 14 |
> |
| 15 |
> Step #3: The problem may be exploitable, but it is |
| 16 |
> extremely unlike to happen. |
| 17 |
> |
| 18 |
> Step #5: Well, maybe it is a problem, but there are far |
| 19 |
> more serious problems, so we don't need to fix it. |
| 20 |
> |
| 21 |
> Step #6: Even if it were worth fixing, it is way too |
| 22 |
> difficult to do. |
| 23 |
> |
| 24 |
> Step #7: Alright, alright. We will fix it as soon as we |
| 25 |
> find the time. |
| 26 |
> |
| 27 |
> Step #8: Great job, idiot, now that you have drawn attention |
| 28 |
> the fact that clueless user's machines can be |
| 29 |
> hacked, it is _your_ fault rather than the ours. |
| 30 |
> |
| 31 |
> Step #9: Please download the latest Service Pack. |
| 32 |
> |
| 33 |
|
| 34 |
First, as a caveat, this is me speaking as me, not as a Gentoo dev. |
| 35 |
|
| 36 |
Peter, please try to remember what Kurt said before, that Gentoo is a |
| 37 |
community-based distro and that there really is no ``them.'' Your |
| 38 |
mentality seems to be that we're acting as a commercial entity might to |
| 39 |
try to quash and cover up vulnerabilities that make us look bad. I've |
| 40 |
only been at Gentoo a relatively short time, but in that time, I've had |
| 41 |
access to both public and confidential vulnerabilities, and had a chance |
| 42 |
to witness the Gentoo security process from the inside. That process is |
| 43 |
designed solely to promote the absolute best security we can offer, |
| 44 |
never to save face or gain marketshare. |
| 45 |
|
| 46 |
Perhaps that sounds like a lot of marketing itself, but keep this in |
| 47 |
mind: if more people use Gentoo, I don't get anything out of it (but |
| 48 |
perhaps a little personal satisfaction). But if we do things |
| 49 |
poorly--from a security standpoint--not only do we look stupid, but I |
| 50 |
and the rest of the team are personally responsible for those who suffer |
| 51 |
the repurcussions of our mistakes. So we have very little incentive to |
| 52 |
cover-up a vulnerability, and every incentive to do what we can to |
| 53 |
promote the best security available. |
| 54 |
|
| 55 |
So why is this not being acted on? Well, this (in that it's a Portage |
| 56 |
vulnerability) is somewhat outside the scope of my regular skills, I'll |
| 57 |
admit. So I can't give you any definitive explanation. But--and I don't |
| 58 |
mean this to urge you not to publish anything you'd like, as this is |
| 59 |
already public knowledge--I think you'd do best to trust Kurt's reasons |
| 60 |
on this. Being a community-supported distro, if every developer is busy |
| 61 |
on something else of higher priority to him (and of course, we can |
| 62 |
hardly just hire someone else to fix this), this might languish for a |
| 63 |
while. And of course, if a user wants to see it fixed, that user can |
| 64 |
always submit a patch. |
| 65 |
|
| 66 |
But I'm not clear on what *your* goal is here by making a public stink. |
| 67 |
It would seem you're trying to encourage the Gentoo Project to fix this, |
| 68 |
which sounds pretty good and noble. Yet I have to wonder, for the amount |
| 69 |
of time you're spending on this, couldn't you just write the patch |
| 70 |
yourself at some point and save a lot of trouble? |
| 71 |
|
| 72 |
I guess my final point here is to remember that we're just a bunch of |
| 73 |
guys doing something we enjoy, and hopefully making a product that you |
| 74 |
and some other people find useful. We aren't making a profit. We aren't |
| 75 |
Microsoft. We aren't taking your money and then screwing you over behind |
| 76 |
your backs (uh, metaphorically, of course). So if it seems we're |
| 77 |
unresponsive, or unhelpful, or don't fix everything you'd like, just try |
| 78 |
sometimes to be a little more understanding. |
| 79 |
|
| 80 |
Thanks, Peter, |
| 81 |
Dan |
| 82 |
|
| 83 |
- -- |
| 84 |
Dan "KrispyKringle" Margolis |
| 85 |
Security Coordinator/Audit Project, Gentoo Linux |
| 86 |
-----BEGIN PGP SIGNATURE----- |
| 87 |
Version: GnuPG v1.2.4 (Darwin) |
| 88 |
|
| 89 |
iQEVAwUBQY+bdLDO2aFJ9pv2AQJ3ZQgAyK1HltQcW8OcaE1nRHkKv9QnV4ioqVQV |
| 90 |
yu2m7uEU2OGtAd25Xj5CUEpBOJiqsM4d1A8XprAunvA0CT6bvkkNzI/L47KkU/up |
| 91 |
E2OIClj72uuBGA7RYqCMlozZcnNP0dijheqI8whU9/10dJxKZEQ3AhTRrxWB8QEN |
| 92 |
mPqTQAJbM4iNU2R2c/pjPwWW62aNn3EENpLjBSMXJngV7DLzG5COXuxvUXryBFZ+ |
| 93 |
V9L15YpAlgr9qfrDizmMj/335dfot9gK9nsPK22ODfVUnCNzQQ6ZlFl+1BuqBhK3 |
| 94 |
B9XGjXtm/47qQQ3C4ke60+bcdoMdycape8LtqMsBP9jZI2GAbdKhmA== |
| 95 |
=afXK |
| 96 |
-----END PGP SIGNATURE----- |
| 97 |
|
| 98 |
-- |
| 99 |
gentoo-security@g.o mailing list |
Archives