1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Peter Simons wrote: |
5 |
> Hans-Werner Hilse writes: |
6 |
> |
7 |
> > But i doubt that you really manage to hack up my BIND, |
8 |
> > place a transparent proxy in my connection to the net or |
9 |
> > convince me to use your fake mirror. |
10 |
> |
11 |
> Step #1: The problem doesn't exist. |
12 |
> |
13 |
> Step #2: The problem may exist, but it isn't exploitable. |
14 |
> |
15 |
> Step #3: The problem may be exploitable, but it is |
16 |
> extremely unlike to happen. |
17 |
> |
18 |
> Step #5: Well, maybe it is a problem, but there are far |
19 |
> more serious problems, so we don't need to fix it. |
20 |
> |
21 |
> Step #6: Even if it were worth fixing, it is way too |
22 |
> difficult to do. |
23 |
> |
24 |
> Step #7: Alright, alright. We will fix it as soon as we |
25 |
> find the time. |
26 |
> |
27 |
> Step #8: Great job, idiot, now that you have drawn attention |
28 |
> the fact that clueless user's machines can be |
29 |
> hacked, it is _your_ fault rather than the ours. |
30 |
> |
31 |
> Step #9: Please download the latest Service Pack. |
32 |
> |
33 |
|
34 |
First, as a caveat, this is me speaking as me, not as a Gentoo dev. |
35 |
|
36 |
Peter, please try to remember what Kurt said before, that Gentoo is a |
37 |
community-based distro and that there really is no ``them.'' Your |
38 |
mentality seems to be that we're acting as a commercial entity might to |
39 |
try to quash and cover up vulnerabilities that make us look bad. I've |
40 |
only been at Gentoo a relatively short time, but in that time, I've had |
41 |
access to both public and confidential vulnerabilities, and had a chance |
42 |
to witness the Gentoo security process from the inside. That process is |
43 |
designed solely to promote the absolute best security we can offer, |
44 |
never to save face or gain marketshare. |
45 |
|
46 |
Perhaps that sounds like a lot of marketing itself, but keep this in |
47 |
mind: if more people use Gentoo, I don't get anything out of it (but |
48 |
perhaps a little personal satisfaction). But if we do things |
49 |
poorly--from a security standpoint--not only do we look stupid, but I |
50 |
and the rest of the team are personally responsible for those who suffer |
51 |
the repurcussions of our mistakes. So we have very little incentive to |
52 |
cover-up a vulnerability, and every incentive to do what we can to |
53 |
promote the best security available. |
54 |
|
55 |
So why is this not being acted on? Well, this (in that it's a Portage |
56 |
vulnerability) is somewhat outside the scope of my regular skills, I'll |
57 |
admit. So I can't give you any definitive explanation. But--and I don't |
58 |
mean this to urge you not to publish anything you'd like, as this is |
59 |
already public knowledge--I think you'd do best to trust Kurt's reasons |
60 |
on this. Being a community-supported distro, if every developer is busy |
61 |
on something else of higher priority to him (and of course, we can |
62 |
hardly just hire someone else to fix this), this might languish for a |
63 |
while. And of course, if a user wants to see it fixed, that user can |
64 |
always submit a patch. |
65 |
|
66 |
But I'm not clear on what *your* goal is here by making a public stink. |
67 |
It would seem you're trying to encourage the Gentoo Project to fix this, |
68 |
which sounds pretty good and noble. Yet I have to wonder, for the amount |
69 |
of time you're spending on this, couldn't you just write the patch |
70 |
yourself at some point and save a lot of trouble? |
71 |
|
72 |
I guess my final point here is to remember that we're just a bunch of |
73 |
guys doing something we enjoy, and hopefully making a product that you |
74 |
and some other people find useful. We aren't making a profit. We aren't |
75 |
Microsoft. We aren't taking your money and then screwing you over behind |
76 |
your backs (uh, metaphorically, of course). So if it seems we're |
77 |
unresponsive, or unhelpful, or don't fix everything you'd like, just try |
78 |
sometimes to be a little more understanding. |
79 |
|
80 |
Thanks, Peter, |
81 |
Dan |
82 |
|
83 |
- -- |
84 |
Dan "KrispyKringle" Margolis |
85 |
Security Coordinator/Audit Project, Gentoo Linux |
86 |
-----BEGIN PGP SIGNATURE----- |
87 |
Version: GnuPG v1.2.4 (Darwin) |
88 |
|
89 |
iQEVAwUBQY+bdLDO2aFJ9pv2AQJ3ZQgAyK1HltQcW8OcaE1nRHkKv9QnV4ioqVQV |
90 |
yu2m7uEU2OGtAd25Xj5CUEpBOJiqsM4d1A8XprAunvA0CT6bvkkNzI/L47KkU/up |
91 |
E2OIClj72uuBGA7RYqCMlozZcnNP0dijheqI8whU9/10dJxKZEQ3AhTRrxWB8QEN |
92 |
mPqTQAJbM4iNU2R2c/pjPwWW62aNn3EENpLjBSMXJngV7DLzG5COXuxvUXryBFZ+ |
93 |
V9L15YpAlgr9qfrDizmMj/335dfot9gK9nsPK22ODfVUnCNzQQ6ZlFl+1BuqBhK3 |
94 |
B9XGjXtm/47qQQ3C4ke60+bcdoMdycape8LtqMsBP9jZI2GAbdKhmA== |
95 |
=afXK |
96 |
-----END PGP SIGNATURE----- |
97 |
|
98 |
-- |
99 |
gentoo-security@g.o mailing list |