* [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
[not found] <CAOyQwLi2RPD3mZVtnvTyS4M6Rb96Np=m0EiGzDpAeOMzmDcECg@mail.gmail.com>
@ 2015-03-10 17:48 ` Patrick Schleizer
2015-03-10 19:53 ` Brian Dolbec
0 siblings, 1 reply; 3+ messages in thread
From: Patrick Schleizer @ 2015-03-10 17:48 UTC (permalink / raw
To: Vladimir Diaz, gentoo-portage-dev; +Cc: Justin Cappos, adrelanos grayson
Hi,
I am wondering why posts by Vladimir Diaz and Justin Cappos are not
visible on the gentoo-portage-dev mailing list archive.
Lost in spam filter?
Have you received them?
Should the listmaster be contacted?
Cheers,
Patrick
Vladimir Diaz:
> Hi,
>
> I am a developer in the Secure Systems Lab at NYU. Our lab has
> collaborated with popular software update systems in the open-source
> community, including APT, yum, and YaST, to address security problems.
> More recently, we have been working on a flexible security framework
> co-developed with the Tor project that can be easily added to software
> updaters to transparently solve many of the known security flaws we have
> uncovered in software updaters. We would like to work with The Portage
> Development Project to better secure the Portage distribution system.
>
> TUF
> <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
> (The Update Framework) is a library that can be added to an existing
> software update system and is designed to update files in a more secure
> manner. Many software updaters verify software updates with cryptographic
> signatures and hash functions, but they typically fail to protect against
> malicious attacks that target the metadata and update files presented to
> clients. A rollback attack is one such example, where an attacker tricks a
> client into installing older files than those the client has already seen
> (these older files may be vulnerable versions that have since been fixed).
> A full list of attacks and weaknesses the framework is designed to address
> is provided here
> <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security>
> .
>
> Our website <http://theupdateframework.com/index.html> includes more
> information about TUF, including: papers
> <https://github.com/theupdateframework/tuf/tree/develop/docs/papers> and a
> specification
> <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
> If you want to see how an existing project integrates TUF, there is a
> standards track proposal
> <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
> to the Python community that you can review. A more rigorous proposal that
> requires more administrative work on the repository, but provides more
> security protections, is also available
> <https://www.python.org/dev/peps/pep-0480/>.
>
> Thanks,
> Vlad
>
> P.S.
> There is an informational Gentoo Linux Enhancement Proposal that references
> the security issues that our project addresses, but there hasn't been much
> recent activity.
>
>
> --
> vladimir.v.diaz@gmail.com
> PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935
> --
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
2015-03-10 17:48 ` [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security Patrick Schleizer
@ 2015-03-10 19:53 ` Brian Dolbec
2015-03-10 21:55 ` Patrick Schleizer
0 siblings, 1 reply; 3+ messages in thread
From: Brian Dolbec @ 2015-03-10 19:53 UTC (permalink / raw
To: gentoo-portage-dev
On Tue, 10 Mar 2015 17:48:58 +0000
Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:
> Hi,
>
> I am wondering why posts by Vladimir Diaz and Justin Cappos are not
> visible on the gentoo-portage-dev mailing list archive.
>
> Lost in spam filter?
>
> Have you received them?
>
> Should the listmaster be contacted?
>
> Cheers,
> Patrick
>
You must be subscribed to the list in order to post. No spam filter
that I know of other than the above. Perhaps it's a blocking issue,
I've heard some domains/subdomains cause issues and/or blocked or
something along those lines.
> Vladimir Diaz:
> > Hi,
> >
> > I am a developer in the Secure Systems Lab at NYU. Our lab has
> > collaborated with popular software update systems in the open-source
> > community, including APT, yum, and YaST, to address security
> > problems. More recently, we have been working on a flexible
> > security framework co-developed with the Tor project that can be
> > easily added to software updaters to transparently solve many of
> > the known security flaws we have uncovered in software updaters.
> > We would like to work with The Portage Development Project to
> > better secure the Portage distribution system.
> >
> > TUF
> > <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
> > (The Update Framework) is a library that can be added to an existing
> > software update system and is designed to update files in a more
> > secure manner. Many software updaters verify software updates with
> > cryptographic signatures and hash functions, but they typically
> > fail to protect against malicious attacks that target the metadata
> > and update files presented to clients. A rollback attack is one
> > such example, where an attacker tricks a client into installing
> > older files than those the client has already seen (these older
> > files may be vulnerable versions that have since been fixed). A
> > full list of attacks and weaknesses the framework is designed to
> > address is provided here
> > <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security> .
> >
> > Our website <http://theupdateframework.com/index.html> includes more
> > information about TUF, including: papers
> > <https://github.com/theupdateframework/tuf/tree/develop/docs/papers>
> > and a specification
> > <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
> > If you want to see how an existing project integrates TUF, there is
> > a standards track proposal
> > <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
> > to the Python community that you can review. A more rigorous
> > proposal that requires more administrative work on the repository,
> > but provides more security protections, is also available
> > <https://www.python.org/dev/peps/pep-0480/>.
> >
> > Thanks,
> > Vlad
> >
> > P.S.
> > There is an informational Gentoo Linux Enhancement Proposal that
> > references the security issues that our project addresses, but
> > there hasn't been much recent activity.
> >
> >
> > --
> > vladimir.v.diaz@gmail.com
> > PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935
> > --
> >
>
>
--
Brian Dolbec <dolsen>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
2015-03-10 19:53 ` Brian Dolbec
@ 2015-03-10 21:55 ` Patrick Schleizer
0 siblings, 0 replies; 3+ messages in thread
From: Patrick Schleizer @ 2015-03-10 21:55 UTC (permalink / raw
To: gentoo-portage-dev
Brian Dolbec:
> On Tue, 10 Mar 2015 17:48:58 +0000
> Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:
>
>> Hi,
>>
>> I am wondering why posts by Vladimir Diaz and Justin Cappos are not
>> visible on the gentoo-portage-dev mailing list archive.
>>
>> Lost in spam filter?
>>
>> Have you received them?
>>
>> Should the listmaster be contacted?
>>
>> Cheers,
>> Patrick
>>
>
> You must be subscribed to the list in order to post. No spam filter
> that I know of other than the above. Perhaps it's a blocking issue,
> I've heard some domains/subdomains cause issues and/or blocked or
> something along those lines.
Alright, thanks. Wasn't signed up. Sorted out.
Just appeared on the list and on the web interface.
[gentoo-portage-dev] Portage and Update Security
http://archives.gentoo.org/gentoo-portage-dev/message/94425239fcaedcee6c49ef398f12aa85
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-10 21:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAOyQwLi2RPD3mZVtnvTyS4M6Rb96Np=m0EiGzDpAeOMzmDcECg@mail.gmail.com>
2015-03-10 17:48 ` [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security Patrick Schleizer
2015-03-10 19:53 ` Brian Dolbec
2015-03-10 21:55 ` Patrick Schleizer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox