From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7651 invoked by uid 1002); 7 Sep 2003 18:24:40 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 2290 invoked from network); 7 Sep 2003 18:24:38 -0000 From: Martin Schlemmer Reply-To: azarah@gentoo.org To: Jan Krueger Cc: Thomas de Grenier de Latour , Gentoo-Dev In-Reply-To: <200309071955.39319.jk@microgalaxy.net> References: <200309071907.03222.jk@microgalaxy.net> <20030907193918.06808631.degrenier@easyconnect.fr> <200309071955.39319.jk@microgalaxy.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-09C6BQ6DMh89jSTChZV8" Message-Id: <1062959282.8455.151.camel@nosferatu.lan> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Sun, 07 Sep 2003 20:28:02 +0200 Subject: Re: [gentoo-dev] Some suggestions X-Archives-Salt: 79f5e794-6432-47ef-b80c-2d34589efc84 X-Archives-Hash: 33e0c63edb356c6c3aefcf8cf02be4e0 --=-09C6BQ6DMh89jSTChZV8 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, 2003-09-07 at 21:55, Jan Krueger wrote: > So does fixing the security holes in portage. We have identified 2 big on= es so=20 > far: > 1. functions like pkg_postinst > 2. easy to compromise bash scripts > and another one is already well known: > 3. the centralized portage tree >=20 > That leads me to the conclusions: > portage is unsecure by design >=20 > Please (the one responsible for it) clearify the statement: > "Thanks to a technology called Portage, Gentoo Linux can become an ideal=20 > secure server" in http://www.gentoo.org/main/en/about.xml >=20 > I have to remove gentoo from my servers a little bit faster it seems... >=20 Ok, but .rpm/.deb have the same kind of flaws ... From here on I can only see that you can use LFS or such, that you can make sure everything is ok. PS: How are you going to verify that gcc's cvs repo was not compromised? Or the kernel's ? I guess you are going to start coding you own kernel, tool-chain and the rest even sooner now that we know how flawed linux, gnuish apps, etc are. --=20 Martin Schlemmer Gentoo Linux Developer, Desktop/System Team Developer Cape Town, South Africa --=-09C6BQ6DMh89jSTChZV8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/W3iyqburzKaJYLYRAg1vAKCOj5rAEiz2Vl8fkEZ/TKQnTJi/DQCfdhC1 poiBaAOQ3iPtRKEaJ7H32jA= =FjYp -----END PGP SIGNATURE----- --=-09C6BQ6DMh89jSTChZV8--