From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Foo3a-00059I-OL for garchives@archives.gentoo.org; Fri, 09 Jun 2006 20:58:15 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k59Ku0H5006896; Fri, 9 Jun 2006 20:56:00 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k59Kpso7000350 for ; Fri, 9 Jun 2006 20:51:55 GMT Received: from [10.0.0.13] (dslb-084-063-016-158.pools.arcor-ip.net [84.63.16.158]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 619E464BDF for ; Fri, 9 Jun 2006 20:51:53 +0000 (UTC) Subject: Re: [gentoo-dev] Project Sunrise thread -- a try of clarification From: Patrick Lauer To: gentoo-dev@lists.gentoo.org In-Reply-To: <1149884042.22473.150.camel@cgianelloni.nuvox.net> References: <44887368.9030302@gentoo.org> <1149803837.19443.101.camel@cgianelloni.nuvox.net> <4488A4F3.5060908@gentoo.org> <1149811589.19102.23.camel@vertigo.twi-31o2.org> <1149841698.9743.20.camel@localhost> <1149870017.22473.22.camel@cgianelloni.nuvox.net> <1149874871.9743.77.camel@localhost> <1149884042.22473.150.camel@cgianelloni.nuvox.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0HJW9H4b28wd93F+Qz4c" Organization: Gentoo Date: Fri, 09 Jun 2006 22:51:43 +0200 Message-Id: <1149886303.32544.7.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 X-Archives-Salt: 4cf47205-1cc7-43ce-ba11-441dd9e4c5b0 X-Archives-Hash: 75b18c25495949922e6e9752aa3b19d6 --=-0HJW9H4b28wd93F+Qz4c Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2006-06-09 at 16:14 -0400, Chris Gianelloni wrote: [snip] > > If someone wanted to exploit boxen he'd use a much simpler attack > > vector ... our rsync mirrors are wide open. No need to secure the littl= e > > window over there when the front door is open ... >=20 > Really? I'd like you to give me root on rsync.gentoo.org, then. What's > that? You can't? What a wonder! I don't need that ... Look, three-step plan to hacking Gentoo boxen: 1) open a few rsync mirrors and get them into the official rotation 2) replace ebuilds on the server with your preferred rootkit installer 3) harvest all the zombies you just got=20 Since not all ebuilds are signed and signing is not enforced portage will not throw any errors if I take care of a few things (fixing manifests etc.). So any person running an rsync mirror has implicitly the same level of trust as a dev. =20 As for the rest of your email, I'd appreciate it if you didn't take this so personal. There's no need to belittle or insult others to push your agenda, it should stand on its own technical merits.=20 Patrick --=20 Stand still, and let the rest of the universe move --=-0HJW9H4b28wd93F+Qz4c Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-ecc0.1.6 (GNU/Linux) iD8DBQBEid9fqER3hOUoZM4RAiaUAJ4r1Ba51yQtgCTs3Y7LGxdBFA1F/wCfTovt IiesFvFqHwIqftL7hcAcd6Y= =IhR8 -----END PGP SIGNATURE----- --=-0HJW9H4b28wd93F+Qz4c-- -- gentoo-dev@gentoo.org mailing list