* [gentoo-security] unsubscribe me -- I've had enough
@ 2004-11-11 18:56 Lee Bowyer
2004-11-11 19:18 ` Jeff Smelser
2004-11-11 19:30 ` Matthew Baxa
0 siblings, 2 replies; 15+ messages in thread
From: Lee Bowyer @ 2004-11-11 18:56 UTC (permalink / raw
To: gentoo-security
yeah? see subject...
what a pointless list.
--
Lee Bowyer
Lee@networkpenetration.com
www.networkpenetration.com
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer
@ 2004-11-11 19:18 ` Jeff Smelser
2004-11-11 19:30 ` Matthew Baxa
1 sibling, 0 replies; 15+ messages in thread
From: Jeff Smelser @ 2004-11-11 19:18 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 163 bytes --]
On Thursday 11 November 2004 12:56 pm, Lee Bowyer wrote:
> yeah? see subject...
> what a pointless list.
Oh, let me get out my violin and hanky..
Jeff
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-11 19:30 ` Matthew Baxa
@ 2004-11-11 19:19 ` Gary Nichols
2004-11-11 19:37 ` Matthew Baxa
2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis
0 siblings, 2 replies; 15+ messages in thread
From: Gary Nichols @ 2004-11-11 19:19 UTC (permalink / raw
To: gentoo-security
On Thu, 11 Nov 2004, Matthew Baxa wrote:
> Don't send unsubscribe requests to the list, follow the directions in the
> headers.
<My two cents>
I think he sent it to the list as a matter of protest.
</My two cents>
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer
2004-11-11 19:18 ` Jeff Smelser
@ 2004-11-11 19:30 ` Matthew Baxa
2004-11-11 19:19 ` Gary Nichols
1 sibling, 1 reply; 15+ messages in thread
From: Matthew Baxa @ 2004-11-11 19:30 UTC (permalink / raw
To: gentoo-security
Don't send unsubscribe requests to the list, follow the directions in
the headers.
On Nov 11, 2004, at 12:56 PM, Lee Bowyer wrote:
> yeah? see subject...
> what a pointless list.
>
> --
>
> Lee Bowyer
> Lee@networkpenetration.com
> www.networkpenetration.com
>
> --
> gentoo-security@gentoo.org mailing list
>
>
>
-----------
Matthew Baxa <mbaxa@k-state.edu>
Application Services Administrator
Office of Mediated Education CC 55
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-11 19:19 ` Gary Nichols
@ 2004-11-11 19:37 ` Matthew Baxa
2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis
1 sibling, 0 replies; 15+ messages in thread
From: Matthew Baxa @ 2004-11-11 19:37 UTC (permalink / raw
To: Gary Nichols; +Cc: gentoo-security
I realize this, but it still was childish. "I'm not talking to you
any more so there!" :)
On Nov 11, 2004, at 1:19 PM, Gary Nichols wrote:
> On Thu, 11 Nov 2004, Matthew Baxa wrote:
>
>> Don't send unsubscribe requests to the list, follow the directions in
>> the headers.
>
> <My two cents>
>
> I think he sent it to the list as a matter of protest.
>
> </My two cents>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>
-----------
Matthew Baxa <mbaxa@k-state.edu>
Application Services Administrator
Office of Mediated Education CC 55
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* [gentoo-security] Maybe a new approach?
2004-11-11 19:19 ` Gary Nichols
2004-11-11 19:37 ` Matthew Baxa
@ 2004-11-11 19:43 ` James Dennis
2004-11-11 19:55 ` Jeff Smelser
1 sibling, 1 reply; 15+ messages in thread
From: James Dennis @ 2004-11-11 19:43 UTC (permalink / raw
To: gentoo-security
So much of the recent chatter could've been held in irc or some other
medium. Would it be stupid to have scheduled irc meetings at some point
when list posting gets out of hand like this? A digest could be posted
to the list to explain what happened in the meeting.
I primarily read this list for advisories and new ideas, but would
prefer a list of ideas or methods be broken apart into something more
readable and lacking flames and in fewer emails.
James
On Nov 11, 2004, at 2:19 PM, Gary Nichols wrote:
> On Thu, 11 Nov 2004, Matthew Baxa wrote:
>
>> Don't send unsubscribe requests to the list, follow the directions in
>> the headers.
>
> <My two cents>
>
> I think he sent it to the list as a matter of protest.
>
> </My two cents>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis
@ 2004-11-11 19:55 ` Jeff Smelser
2004-11-11 20:11 ` Glen Combe
0 siblings, 1 reply; 15+ messages in thread
From: Jeff Smelser @ 2004-11-11 19:55 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 574 bytes --]
On Thursday 11 November 2004 01:43 pm, James Dennis wrote:
> I primarily read this list for advisories and new ideas, but would
> prefer a list of ideas or methods be broken apart into something more
> readable and lacking flames and in fewer emails.
wtf did you guys think you were doing when you signed up? If you want
announcements, join the security announcement list.. This is for security
related discussion..
From the site:
gentoo-security -- For the discussion of security issues and fixes
KEY WORD DISCUSSION.. This is friggin list..
Jeff
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 19:55 ` Jeff Smelser
@ 2004-11-11 20:11 ` Glen Combe
2004-11-11 20:20 ` Kurt Lieber
0 siblings, 1 reply; 15+ messages in thread
From: Glen Combe @ 2004-11-11 20:11 UTC (permalink / raw
To: gentoo-security
the key word being discussion. So we have peters fix. are there any
others?
Kurt can you clarify this for me or give me more detail... on what you
mean what you say below? What is the more robust solution? I dont recall
reading it here?
"The solution that Peter is requesting (generating hashes of files not
already hashed and then signing all Manifests/hashes) is considerably more
risky and is not something I will implement since we have a more robust,
better solution in the works already."
Thanks
----- Original Message -----
From: "Jeff Smelser" <tradergt@smelser.org>
To: <gentoo-security@lists.gentoo.org>
Sent: Thursday, November 11, 2004 12:55 PM
Subject: Re: [gentoo-security] Maybe a new approach?
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 20:11 ` Glen Combe
@ 2004-11-11 20:20 ` Kurt Lieber
2004-11-11 20:31 ` Glen Combe
0 siblings, 1 reply; 15+ messages in thread
From: Kurt Lieber @ 2004-11-11 20:20 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
On Thu, Nov 11, 2004 at 01:11:15PM -0700 or thereabouts, Glen Combe wrote:
> Kurt can you clarify this for me or give me more detail... on what you
> mean what you say below? What is the more robust solution? I dont recall
> reading it here?
>
> "The solution that Peter is requesting (generating hashes of files not
> already hashed and then signing all Manifests/hashes) is considerably more
> risky and is not something I will implement since we have a more robust,
> better solution in the works already."
It's been mentioned numerous times. The strategic approach to fixing this
issue is taking the work we've already put into signed manifests and
extending it to cover other files as well (eclasses, profiles, etc.) There
is an open RFE bug for this and Jason (one of our portage devs) has already
said they're working on it.
--kurt
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 20:20 ` Kurt Lieber
@ 2004-11-11 20:31 ` Glen Combe
2004-11-11 20:33 ` Kurt Lieber
2004-11-12 10:00 ` Marius Mauch
0 siblings, 2 replies; 15+ messages in thread
From: Glen Combe @ 2004-11-11 20:31 UTC (permalink / raw
To: gentoo-security
Kurt.
Detail of time and implemention is what I have in mind. I sense you might
have a good feel for that? Weeks? Months?
----- Original Message -----
From: "Kurt Lieber" <klieber@gentoo.org>
To: <gentoo-security@lists.gentoo.org>
Sent: Thursday, November 11, 2004 1:20 PM
Subject: Re: [gentoo-security] Maybe a new approach?
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 20:31 ` Glen Combe
@ 2004-11-11 20:33 ` Kurt Lieber
2004-11-12 10:00 ` Marius Mauch
1 sibling, 0 replies; 15+ messages in thread
From: Kurt Lieber @ 2004-11-11 20:33 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 275 bytes --]
On Thu, Nov 11, 2004 at 01:31:14PM -0700 or thereabouts, Glen Combe wrote:
> Detail of time and implemention is what I have in mind. I sense you might
> have a good feel for that? Weeks? Months?
Nope, I have no sense whatsoever, so I won't even hazard a guess.
--kurt
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] Maybe a new approach?
2004-11-11 20:31 ` Glen Combe
2004-11-11 20:33 ` Kurt Lieber
@ 2004-11-12 10:00 ` Marius Mauch
1 sibling, 0 replies; 15+ messages in thread
From: Marius Mauch @ 2004-11-12 10:00 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]
On Thu, 11 Nov 2004 13:31:14 -0700
"Glen Combe" <gcombe@co.weber.ut.us> wrote:
> Kurt.
>
> Detail of time and implemention is what I have in mind. I sense you
> might have a good feel for that? Weeks? Months?
Well, first lets see what we're still missing implementation-wise:
1) checksums/signatures for eclasses, profiles, the "scripts" dir and
maybe a few others
2) enforcement for devs to sign their packages
3) some kind of PKI for portage signing keys
4) better verification support, the current implementation has a few
problems (performance sucks and key management is almost completely
manual)
5) stuff I forgot to mention here
So now what needs to be done to fix these points:
1) a) decide how these files are to be signed/verified (one Manifest for
all eclasses, individual signatures, ...)
b) modify repoman to work in those dirs (currently it's only for
package dirs)
2) a) ensure that *ALL* devs use repoman
b) change repoman so only signed packages/eclasses/... are committed
3) not sure
4) a) find a way to improve gpg performance
b) add support for 3)
5) no clue ;)
>From this list, 1a), 2a) and 3) are outside the scope of dev-portage
(well, we could make an arbitrary decision for 1a), so I can't give any
estimates for them. I also can't give any estimate for 4a) as I don't
know if that's possible or 4b) as it depends on 3). So the only points I
can give any information on are 1b) and 2b):
1b) shouldn't be too difficult although repoman is tricky piece of
software, I'd guess it would take a week or so for an initial
implementation (depends on 1a of course)
2b) Tricky to do this in a proper way. Pretty much needs real
transaction support in repoman. A 80% solution is pretty simple though
(less than a week). I'd need to go into implementation details of
repoman to completely explain this.
Marius
--
Public Key at http://www.genone.de/info/gpg-key.pub
In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [gentoo-security] unsubscribe me -- I've had enough
@ 2004-11-12 11:53 Giles Coochey
2004-11-26 23:12 ` Andrej Kacian
0 siblings, 1 reply; 15+ messages in thread
From: Giles Coochey @ 2004-11-12 11:53 UTC (permalink / raw
To: Matthew Baxa, Gary Nichols; +Cc: gentoo-security
>
> I realize this, but it still was childish. "I'm not talking to you
> any more so there!" :)
>
Actually, I think it's "I'm don't want to quietly listen to you anymore,
so there!"
You may as well unsubscribe me as well.
> On Nov 11, 2004, at 1:19 PM, Gary Nichols wrote:
>
> > On Thu, 11 Nov 2004, Matthew Baxa wrote:
> >
> >> Don't send unsubscribe requests to the list, follow the
> directions in
> >> the headers.
> >
> > <My two cents>
> >
> > I think he sent it to the list as a matter of protest.
> >
> > </My two cents>
> >
> >
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
> -----------
> Matthew Baxa <mbaxa@k-state.edu>
> Application Services Administrator
> Office of Mediated Education CC 55
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-12 11:53 [gentoo-security] unsubscribe me -- I've had enough Giles Coochey
@ 2004-11-26 23:12 ` Andrej Kacian
2004-11-27 4:29 ` Chris Smith
0 siblings, 1 reply; 15+ messages in thread
From: Andrej Kacian @ 2004-11-26 23:12 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 679 bytes --]
On Fri, 12 Nov 2004 11:53:15 -0000
"Giles Coochey" <giles.coochey@mirada-solutions.com> wrote:
> >
> > I realize this, but it still was childish. "I'm not talking to you
> > any more so there!" :)
> >
>
> Actually, I think it's "I'm don't want to quietly listen to you anymore,
> so there!"
>
> You may as well unsubscribe me as well.
Why would anyone waste their time by doing something you can do yourself,
for yourself?
--
/~\ The ASCII Andrej "Ticho" Kacian <ticho at gentoo dot sk>
\ / Ribbon Campaign GnuPG public key ID: 7CD93FE2 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! E87D 9DEF 2A23 6FFB 7AD9 542F 4253 3A46 7CD9 3FE2
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough
2004-11-26 23:12 ` Andrej Kacian
@ 2004-11-27 4:29 ` Chris Smith
0 siblings, 0 replies; 15+ messages in thread
From: Chris Smith @ 2004-11-27 4:29 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 300 bytes --]
On Sat, 27 Nov 2004 12:12, Andrej Kacian wrote:
> Why would anyone waste their time by doing something you can do yourself,
> for yourself?
Why did you bother flaming someone for an email sent two weeks ago? In fact,
there is no reason for you to have said that at all.
Grow up.
Chris.
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2004-11-27 4:30 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer
2004-11-11 19:18 ` Jeff Smelser
2004-11-11 19:30 ` Matthew Baxa
2004-11-11 19:19 ` Gary Nichols
2004-11-11 19:37 ` Matthew Baxa
2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis
2004-11-11 19:55 ` Jeff Smelser
2004-11-11 20:11 ` Glen Combe
2004-11-11 20:20 ` Kurt Lieber
2004-11-11 20:31 ` Glen Combe
2004-11-11 20:33 ` Kurt Lieber
2004-11-12 10:00 ` Marius Mauch
-- strict thread matches above, loose matches on Subject: below --
2004-11-12 11:53 [gentoo-security] unsubscribe me -- I've had enough Giles Coochey
2004-11-26 23:12 ` Andrej Kacian
2004-11-27 4:29 ` Chris Smith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox