public inbox for gentoo-portage-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
       [not found] <CAOyQwLi2RPD3mZVtnvTyS4M6Rb96Np=m0EiGzDpAeOMzmDcECg@mail.gmail.com>
@ 2015-03-10 17:48 ` Patrick Schleizer
  2015-03-10 19:53   ` Brian Dolbec
  0 siblings, 1 reply; 3+ messages in thread
From: Patrick Schleizer @ 2015-03-10 17:48 UTC (permalink / raw
  To: Vladimir Diaz, gentoo-portage-dev; +Cc: Justin Cappos, adrelanos grayson

Hi,

I am wondering why posts by Vladimir Diaz and Justin Cappos are not
visible on the gentoo-portage-dev mailing list archive.

Lost in spam filter?

Have you received them?

Should the listmaster be contacted?

Cheers,
Patrick

Vladimir Diaz:
> Hi,
> 
> I am a developer in the Secure Systems Lab at NYU.  Our lab has
> collaborated with popular software update systems in the open-source
> community, including APT, yum, and YaST, to address security problems.
> More recently, we have been working on a flexible security framework
> co-developed with the Tor project that can be easily added to software
> updaters to transparently solve many of the known security flaws we have
> uncovered in software updaters.  We would like to work with The Portage
> Development Project to better secure the Portage distribution system.
> 
> TUF
> <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
> (The Update Framework) is a library that can be added to an existing
> software update system and is designed to update files in a more secure
> manner.  Many software updaters verify software updates with cryptographic
> signatures and hash functions, but they typically fail to protect against
> malicious attacks that target the metadata and update files presented to
> clients.  A rollback attack is one such example, where an attacker tricks a
> client into installing older files than those the client has already seen
> (these older files may be vulnerable versions that have since been fixed).
> A full list of attacks and weaknesses the framework is designed to address
> is provided here
> <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security>
> .
> 
> Our website <http://theupdateframework.com/index.html> includes more
> information about TUF, including: papers
> <https://github.com/theupdateframework/tuf/tree/develop/docs/papers> and a
> specification
> <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
> If you want to see how an existing project integrates TUF, there is a
> standards track proposal
> <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
> to the Python community that you can review.  A more rigorous proposal that
> requires more administrative work on the repository, but provides more
> security protections, is also available
> <https://www.python.org/dev/peps/pep-0480/>.
> 
> Thanks,
> Vlad
> 
> P.S.
> There is an informational Gentoo Linux Enhancement Proposal that references
> the security issues that our project addresses, but there hasn't been much
> recent activity.
> 
> 
> --
> vladimir.v.diaz@gmail.com
> PGP fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
> --
> 



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
  2015-03-10 17:48 ` [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security Patrick Schleizer
@ 2015-03-10 19:53   ` Brian Dolbec
  2015-03-10 21:55     ` Patrick Schleizer
  0 siblings, 1 reply; 3+ messages in thread
From: Brian Dolbec @ 2015-03-10 19:53 UTC (permalink / raw
  To: gentoo-portage-dev

On Tue, 10 Mar 2015 17:48:58 +0000
Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:

> Hi,
> 
> I am wondering why posts by Vladimir Diaz and Justin Cappos are not
> visible on the gentoo-portage-dev mailing list archive.
> 
> Lost in spam filter?
> 
> Have you received them?
> 
> Should the listmaster be contacted?
> 
> Cheers,
> Patrick
> 

You must be subscribed to the list in order to post.  No spam filter
that I know of other than the above.  Perhaps it's a blocking issue,
I've heard some domains/subdomains cause issues and/or blocked or
something along those lines.




> Vladimir Diaz:
> > Hi,
> > 
> > I am a developer in the Secure Systems Lab at NYU.  Our lab has
> > collaborated with popular software update systems in the open-source
> > community, including APT, yum, and YaST, to address security
> > problems. More recently, we have been working on a flexible
> > security framework co-developed with the Tor project that can be
> > easily added to software updaters to transparently solve many of
> > the known security flaws we have uncovered in software updaters.
> > We would like to work with The Portage Development Project to
> > better secure the Portage distribution system.
> > 
> > TUF
> > <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
> > (The Update Framework) is a library that can be added to an existing
> > software update system and is designed to update files in a more
> > secure manner.  Many software updaters verify software updates with
> > cryptographic signatures and hash functions, but they typically
> > fail to protect against malicious attacks that target the metadata
> > and update files presented to clients.  A rollback attack is one
> > such example, where an attacker tricks a client into installing
> > older files than those the client has already seen (these older
> > files may be vulnerable versions that have since been fixed). A
> > full list of attacks and weaknesses the framework is designed to
> > address is provided here
> > <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security> .
> > 
> > Our website <http://theupdateframework.com/index.html> includes more
> > information about TUF, including: papers
> > <https://github.com/theupdateframework/tuf/tree/develop/docs/papers>
> > and a specification
> > <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
> > If you want to see how an existing project integrates TUF, there is
> > a standards track proposal
> > <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
> > to the Python community that you can review.  A more rigorous
> > proposal that requires more administrative work on the repository,
> > but provides more security protections, is also available
> > <https://www.python.org/dev/peps/pep-0480/>.
> > 
> > Thanks,
> > Vlad
> > 
> > P.S.
> > There is an informational Gentoo Linux Enhancement Proposal that
> > references the security issues that our project addresses, but
> > there hasn't been much recent activity.
> > 
> > 
> > --
> > vladimir.v.diaz@gmail.com
> > PGP fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
> > --
> > 
> 
> 



-- 
Brian Dolbec <dolsen>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security
  2015-03-10 19:53   ` Brian Dolbec
@ 2015-03-10 21:55     ` Patrick Schleizer
  0 siblings, 0 replies; 3+ messages in thread
From: Patrick Schleizer @ 2015-03-10 21:55 UTC (permalink / raw
  To: gentoo-portage-dev

Brian Dolbec:
> On Tue, 10 Mar 2015 17:48:58 +0000
> Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:
> 
>> Hi,
>>
>> I am wondering why posts by Vladimir Diaz and Justin Cappos are not
>> visible on the gentoo-portage-dev mailing list archive.
>>
>> Lost in spam filter?
>>
>> Have you received them?
>>
>> Should the listmaster be contacted?
>>
>> Cheers,
>> Patrick
>>
> 
> You must be subscribed to the list in order to post.  No spam filter
> that I know of other than the above.  Perhaps it's a blocking issue,
> I've heard some domains/subdomains cause issues and/or blocked or
> something along those lines.

Alright, thanks. Wasn't signed up. Sorted out.

Just appeared on the list and on the web interface.

[gentoo-portage-dev] Portage and Update Security

http://archives.gentoo.org/gentoo-portage-dev/message/94425239fcaedcee6c49ef398f12aa85



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-03-10 21:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CAOyQwLi2RPD3mZVtnvTyS4M6Rb96Np=m0EiGzDpAeOMzmDcECg@mail.gmail.com>
2015-03-10 17:48 ` [gentoo-portage-dev] List moderation issue? was - Re: Portage and Updater Security Patrick Schleizer
2015-03-10 19:53   ` Brian Dolbec
2015-03-10 21:55     ` Patrick Schleizer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox