From: Kurt Lieber <klieber@gentoo.org>
To: Peter Simons <simons@cryp.to>
Cc: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
Date: Sun, 7 Nov 2004 15:40:46 +0000 [thread overview]
Message-ID: <20041107154046.GG10927@mail.lieber.org> (raw)
In-Reply-To: <87sm7lvm17.fsf@peti.cryp.to>
[-- Attachment #1: Type: text/plain, Size: 1750 bytes --]
On Sun, Nov 07, 2004 at 02:14:28PM +0100 or thereabouts, Peter Simons wrote:
> I would kindly request a statement from the Gentoo developers about this.
I'm a developer, but you should consider the following to be my opinion
only and not any sort of official statement.
> Specifically:
>
> (1) Do you agree that this is a problem?
As another poster already noted, of course it is, but it's not specific to
Gentoo. What happens if the server hosting the master repository of glibc
gets compromised? How do you know that hasn't already happened and there's
back doors galore on your machine right now? That may seem like a
smart-ass question, but stop for a moment and consider it seriously. How
do you *KNOW* that there are no backdoors in the version of glibc on your
computer right now?
> (2) Are there plans for getting it fixed?
We already implemented a major change nearly a year ago by moving
'rsync.gentoo.org' onto servers that are managed by the Gentoo team.
Previously, we relied on community mirrors which worked well, but didn't
allow us to ensure the servers were all held to the same high security
standard.
We've also taken a number of other steps to mitigate this type of exposure
including getting GPG signing into portage and the creation of an auditing
project which reviews the ebuilds and code used in our distribution.
> (3) Is there any estimate how long this will take?
n/a
> I have read some of the material Alexander hyper-linked to
> and, frankly, most of it is outright frightening.
Then you should immediately unplug your computer from the internet. The
minute you jack in, you're accepting some level of risk. That's just the
nature of the beast.
--kurt
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-11-07 15:41 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-06 20:16 [gentoo-security] Trojan for Gentoo, part 2 Alexander Holler
2004-11-07 0:31 ` [gentoo-security] " Chris Frey
2004-11-07 13:10 ` [gentoo-security] help blocking automated ssh scanning attack script Brian G. Peterson
2004-11-07 13:16 ` Gary Nichols
2004-11-07 13:31 ` Brian G. Peterson
2004-11-07 13:37 ` Rui Covelo
2004-11-07 13:50 ` aScii
2004-11-08 4:44 ` Kim Nielsen
2004-11-07 14:50 ` [gentoo-security] Re: Trojan for Gentoo, part 2 Jason Rojas
2004-11-07 17:01 ` Carsten Lohrke
2004-11-07 15:23 ` Kurt Lieber
2004-11-07 15:44 ` Peter Simons
2004-11-07 15:49 ` Kurt Lieber
2004-11-07 16:01 ` Jan Groenewald
2004-11-07 16:07 ` Peter Simons
2004-11-07 16:52 ` Dan Margolis
2004-11-07 17:43 ` Andreas Waschbuesch
2004-11-07 17:52 ` Dan Margolis
2004-11-07 19:08 ` Chocron J.
2004-11-07 19:11 ` Andreas Waschbuesch
2004-11-08 2:41 ` [gentoo-security] How to authenticate the portage tree Peter Simons
2004-11-08 9:37 ` [gentoo-security] Gentoo Portage Attack Tree Ervin Németh
2004-11-08 10:11 ` Kurt Lieber
2004-11-08 12:15 ` [gentoo-security] " Peter Simons
2004-11-12 7:00 ` Ed Grimm
2004-11-08 20:05 ` [gentoo-security] How to authenticate the portage tree Marius Mauch
2004-11-07 13:14 ` [gentoo-security] Is anybody else worried about this? (was: Trojan for Gentoo, part 2) Peter Simons
2004-11-07 15:40 ` [gentoo-security] Is anybody else worried about this? Marc Ballarin
2004-11-07 15:15 ` Tobias Klausmann
2004-11-07 15:20 ` Alex
2004-11-07 15:28 ` [gentoo-security] " Peter Simons
2004-11-07 15:45 ` Rui Covelo
2004-11-07 16:44 ` [gentoo-security] " Chris Frey
2004-11-07 17:04 ` Rui Covelo
2004-11-07 17:11 ` [gentoo-security] " Chris Frey
2004-11-07 17:56 ` [gentoo-security] " Peter Simons
2004-11-07 18:00 ` Marc Ballarin
2004-11-07 17:26 ` Barry.Schwartz
2004-11-07 16:31 ` Chris Frey
2004-11-07 17:07 ` [gentoo-security] " Dan Margolis
[not found] ` <418E5425.6070400@seas.upenn.edu>
2004-11-07 18:34 ` Marc Ballarin
2004-11-07 17:57 ` Dan Margolis
2004-11-07 19:36 ` Marc Ballarin
2004-11-07 18:51 ` [gentoo-security] " Peter Simons
2004-11-08 20:12 ` Marius Mauch
2004-11-07 15:40 ` Kurt Lieber [this message]
2004-11-07 17:01 ` [gentoo-security] Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2) Chris Frey
2004-11-07 18:35 ` Dan Noe
2004-11-07 19:04 ` Marc Ballarin
2004-11-07 18:25 ` Peter Simons
2004-11-07 23:26 ` Kurt Lieber
2004-11-07 23:52 ` [gentoo-security] No, apparently not. (was: Is anybody else worried about this?) Peter Simons
2004-11-08 0:17 ` Kurt Lieber
2004-11-08 1:05 ` [gentoo-security] " Peter Simons
2004-11-08 1:08 ` Anthony Gorecki
2004-11-08 1:18 ` Peter Simons
2004-11-08 16:11 ` Jake Hawkes
2004-11-08 1:31 ` Kurt Lieber
2004-11-08 1:35 ` Peter Simons
2004-11-08 9:19 ` Tobias Klausmann
2004-11-08 10:19 ` Kurt Lieber
2004-11-08 11:53 ` Tobias Klausmann
2004-11-08 12:17 ` Anthony Metcalf
2004-11-08 10:30 ` [gentoo-security] Re: No, apparently not Thierry Carrez
2004-11-08 12:01 ` Peter Simons
2004-11-08 10:36 ` [gentoo-security] Keys on a cd? Anthony Metcalf
2004-11-08 13:30 ` Kurt Lieber
2004-11-08 2:17 ` [gentoo-security] No, apparently not Brian Bilbrey
2004-11-08 2:33 ` [gentoo-security] " Peter Simons
2004-11-08 2:49 ` [gentoo-security] " Ed Grimm
2004-11-08 2:51 ` [gentoo-security] " Peter Simons
2004-11-08 3:01 ` Ed Grimm
2004-11-08 3:08 ` Peter Simons
2004-11-08 1:03 ` [gentoo-security] Re: Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2) Chris Frey
2004-11-08 1:19 ` Kurt Lieber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041107154046.GG10927@mail.lieber.org \
--to=klieber@gentoo.org \
--cc=gentoo-security@lists.gentoo.org \
--cc=simons@cryp.to \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox