From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10349 invoked from network); 10 Nov 2004 12:38:49 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 10 Nov 2004 12:38:49 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CRrkO-0002r7-RV for arch-gentoo-security@lists.gentoo.org; Wed, 10 Nov 2004 12:38:48 +0000 Received: (qmail 7435 invoked by uid 89); 10 Nov 2004 12:38:25 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 19082 invoked from network); 10 Nov 2004 12:38:25 +0000 From: Antoine Martin To: Jason Stubbs Cc: gentoo-security@lists.gentoo.org In-Reply-To: <200411101400.39645.jstubbs@work-at.co.jp> References: <20041110020620.F1ADE2B3DB@smtp.istop.com> <20041109233509.A19723@netdirect.ca> <200411101400.39645.jstubbs@work-at.co.jp> Content-Type: text/plain Date: Wed, 10 Nov 2004 12:54:44 +0000 Message-Id: <1100091284.10299.19.camel@cobra> Mime-Version: 1.0 X-Mailer: Evolution 2.0.1-1mdk Content-Transfer-Encoding: 7bit Subject: Re: [gentoo-security] Re: Out of air X-Archives-Salt: f67d7e3c-c143-415c-bfe7-389808733c56 X-Archives-Hash: 2f23f8954c23765082f7f938f4143296 > > The current development effort that is underway is not one that can be > > implemented overnight, but there is a solution that manages to satisfy > > the core needs of this thread that can be implemented overnight. I second that. To reply to a few other threads: 1) This is no disrespect to the gentoo devs (kudos here) or the other, better solution that is in the works. Just a band-aid we would rather have now. 2) To all those saying that code should be submitted, we do not have access to the rsync servers needed to code 5 lines of bash. > I would advise everybody to read through aforementioned discussions in the > archives of gentoo-dev@gentoo.org before persuing this. Something that > appears so simple as this on the surface still has a number of sharp edges. > The infrastructure team would have to do some careful planning and possibly > restructing of job control on the master rsync and cvs servers. The portage > team would need to implement support for verifying the signature is valid. > Whoever else would have to plan and implement distribution of this > all-powerful key. I think we all admit it may take some time, but we are talking about the quick and dirty solution as a stop-gap measure, nothing else. And if the better solution takes more than 1.5years to roll out, backup plans are just common sense - not criticism. > But it doesn't stop there. Following this would be plan of action for the case > that the all-powerful key is compromised. Then there is also the up to six > month transition period between this solution and the solution that is > currently being implemented. That also requires careful planning and > implementation. So.. adding this simple solution now actually more than > doubles the amount of work that needs to be done down the track. Would you care to expand on that? I is just a cron job and a script, how would that double the amount of work in the future?!? Antoine -- gentoo-security@gentoo.org mailing list