From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1I18gy-0001W2-MD for garchives@archives.gentoo.org; Wed, 20 Jun 2007 22:30:25 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l5KMTHBL031861; Wed, 20 Jun 2007 22:29:19 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l5KMRNYX029629 for ; Wed, 20 Jun 2007 22:27:24 GMT Received: from ip6-localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 49B5D64D20 for ; Wed, 20 Jun 2007 22:27:23 +0000 (UTC) From: Mike Frysinger Organization: wh0rd.org To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] how to handle sensitive files when =?iso-8859-1?q?generating=09binary?= packages Date: Wed, 20 Jun 2007 18:28:00 -0400 User-Agent: KMail/1.9.7 References: <200706200047.04951.vapier@gentoo.org> <200706201719.01571.vapier@gentoo.org> <1182376965.12859.7.camel@localhost> In-Reply-To: <1182376965.12859.7.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5583515.Ve3XJkquFy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706201828.00854.vapier@gentoo.org> X-Archives-Salt: 93c716d7-36bf-43a3-98d8-0c5dae9193f9 X-Archives-Hash: 074a1998577f87420af05b0d57fb103b --nextPart5583515.Ve3XJkquFy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 June 2007, Olivier Cr=EAte wrote: > On Wed, 2007-20-06 at 17:19 -0400, Mike Frysinger wrote: > > the use of the binpkg is not an issue, it's the creation ... people > > blindly creating tbz2's which could contain their sensitive files and > > posting them > > > > i'll just go ahead with the feedback from Olivier and have quickpkg skip > > CONFIG_PROTECT by default > > This will by default create potentially broken packages (since many just > wont work without their CONFIG_PROTECTed files). That's why I suggested > a big fat warning and accepting that we can't protect users against > themselves or against social engineering (aka their own stupidity). i think this would only be an issue where quickpkg is being run=20 non-interactively and the output not being reviewed (which i also dont thin= k=20 is a common scenario for quickpkg) ... the new output of quickpkg will be=20 explicit in what it is (or isnt) doing so there wont be any issue of "drive= =20 by" social engineering as for dubbing people who are successfully socially engineered "stupid", i= =20 dont really think that's appropriate ... consider noobs on irc in #gentoo w= ho=20 just want to help and havent learned their way around yet. are they stupid= =20 (well they might be, but lets give them the benefit of the doubt) ? i'd=20 liken the situation to a kid growing up ... kids arent stupid, they lack=20 experience and calling them stupid isnt constructive =2Dmike --nextPart5583515.Ve3XJkquFy Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUARnmp8EFjO5/oN/WBAQLAoA//ZM/VlWX2Nazu4W2RbsDTx0Cd8Ms6xRBi JOicj1X2VfObrGp4XfLVioZ0lOGYIVkYXxp0mYcaSuIQ/Z0FLFkPBmUVfa2tLD5X IbeDT6hqGZYuF74IFtLLgSRoePHHt++YWmLH2DmB6ol8hjdypPODNUSaJzBje2jm xI4Sik68G64Gn4DnDCQ+4oOJx6Q8uQUMkVopqO6iHqQBlhAPD6g3yhWPO1nrz2T8 OAZd6vCfUMFsW+QdvYfM/IYxgM5CMN23PYFKp+Izp94CdlbpnsdUILy0RUEU18a7 2EwZohy01EOiV/3vlY/ukNSVb9d+kGJF1UqwFTJlU/XVHVdQMEIBRMtiaLir3Giw xYIHnDVKURd51sOmIoTXCFV9k1+kuy+/b4bFfUCKFD/a62ieMJKWlrvyMNo+GVI9 QVmiqMLt5mZnpe9nO0oVcdpzRxrIfu4eLmdCGjrqooGtSy94o4C8126qpVy4LvhF UPe8e6CMr2zOPTlGmtEfaXqoLK3ASniSVYb12D+yBX4MpLj87BMgvZluFZHRCwj6 91TEHjAIe3yrKEI9urhYDPmBE4/HM+okZkSVOz6fIJv5J5WLsAGSyaCU3zvO2o9E 9RoxtsYtemXk0ZERj2W+0SWwiJzoPvpLNKXMDYKTpLyyqC+tBoYnTGTxTNV8Vrdc oTC+soA0CJo= =EWpL -----END PGP SIGNATURE----- --nextPart5583515.Ve3XJkquFy-- -- gentoo-dev@gentoo.org mailing list