From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24878 invoked from network); 7 Nov 2004 15:41:09 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 15:41:09 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQpAD-00010c-7z for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 15:41:09 +0000 Received: (qmail 14873 invoked by uid 89); 7 Nov 2004 15:40:47 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 32267 invoked from network); 7 Nov 2004 15:40:47 +0000 Date: Sun, 7 Nov 2004 15:40:46 +0000 From: Kurt Lieber To: Peter Simons Cc: gentoo-security@lists.gentoo.org Message-ID: <20041107154046.GG10927@mail.lieber.org> Mail-Followup-To: Peter Simons , gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CH5TmUFGgv5xAzR1" Content-Disposition: inline In-Reply-To: <87sm7lvm17.fsf@peti.cryp.to> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-security] Is anybody else worried about this? (was: Trojan for Gentoo, part 2) X-Archives-Salt: f70bfadb-e177-4ef8-97a4-47c36e12660f X-Archives-Hash: db0e8bca4ce821d75d0ef70d0226de1b --CH5TmUFGgv5xAzR1 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 07, 2004 at 02:14:28PM +0100 or thereabouts, Peter Simons wrote: > I would kindly request a statement from the Gentoo developers about this.= =20 I'm a developer, but you should consider the following to be my opinion only and not any sort of official statement. > Specifically: >=20 > (1) Do you agree that this is a problem? As another poster already noted, of course it is, but it's not specific to Gentoo. What happens if the server hosting the master repository of glibc gets compromised? How do you know that hasn't already happened and there's back doors galore on your machine right now? That may seem like a smart-ass question, but stop for a moment and consider it seriously. How do you *KNOW* that there are no backdoors in the version of glibc on your computer right now? =20 > (2) Are there plans for getting it fixed? We already implemented a major change nearly a year ago by moving 'rsync.gentoo.org' onto servers that are managed by the Gentoo team. Previously, we relied on community mirrors which worked well, but didn't allow us to ensure the servers were all held to the same high security standard.=20 We've also taken a number of other steps to mitigate this type of exposure including getting GPG signing into portage and the creation of an auditing project which reviews the ebuilds and code used in our distribution. > (3) Is there any estimate how long this will take? n/a > I have read some of the material Alexander hyper-linked to > and, frankly, most of it is outright frightening. Then you should immediately unplug your computer from the internet. The minute you jack in, you're accepting some level of risk. That's just the nature of the beast. --kurt --CH5TmUFGgv5xAzR1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBjkH+JPpRNiftIEYRAqzSAJ9lTtiMoobQhjyMlz1G8DeIissBswCfVm1X eRLNUcsNSOp6UZbeNwdaxmY= =1FMi -----END PGP SIGNATURE----- --CH5TmUFGgv5xAzR1--