From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-security-return-1494-arch-gentoo-security=gentoo.org@lists.gentoo.org>
Received: (qmail 25515 invoked from network); 7 Nov 2004 17:26:58 +0000
Received: from smtp.gentoo.org (156.56.111.197)
  by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 17:26:58 +0000
Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org)
	by smtp.gentoo.org with esmtp (Exim 4.41)
	id 1CQqoc-0007Lw-7T
	for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 17:26:58 +0000
Received: (qmail 422 invoked by uid 89); 7 Nov 2004 17:26:36 +0000
Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-security@gentoo.org>
List-Help: <mailto:gentoo-security-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Received: (qmail 1557 invoked from network); 7 Nov 2004 17:26:36 +0000
Date: Sun, 7 Nov 2004 11:26:29 -0600
From: Barry.Schwartz@chemoelectric.org
Cc: gentoo-security@lists.gentoo.org
Message-ID: <20041107172629.GA29564@crud.crud.mn.org>
References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> <20041107154034.242838cb.Ballarin.Marc@gmx.de> <87hdo1u1a3.fsf@peti.cryp.to> <20041107180004.31d27abe.Ballarin.Marc@gmx.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041107180004.31d27abe.Ballarin.Marc@gmx.de>
User-Agent: Mutt/1.5.6i
Subject: Re: [gentoo-security] Re: Is anybody else worried about this?
X-Archives-Salt: b1987b61-7ed5-450b-b643-95a3bd163802
X-Archives-Hash: 617a4fee3177eb0d79c40fb30b374674

Marc Ballarin <Ballarin.Marc@gmx.de> wrote:
> The further problem is responsibility. A source package on an external
> project's server is trojaned. A Gentoo developer signs the ebuild and
> the source code. The trojan is discovered. Now, what should happen?
> The developer has claimed implicitly, through his signature, that the
> package is correct.
> What do you do? Call the developer a liar, just lazy, or do you even
> understand and accept the situation?
> In any case, you can no longer trust this developers signature, in fact
> you never could.

Not so.  Either you can't trust the developer, in which case his or
her signature _can_ be trusted (within reason) as an indication of
trouble; or it's just one of those things.  Everyone makes a mistake
now and then, and no cryptography can stop that.  And at least you
know (within reason) where the package came from, making analysis
after the fact simpler.


-- 
Barry.Schwartz@chemoelectric.org    http://www.chemoelectric.org
     If nothing is beneath them, and they control the machines of
election, and if we know these things, then what fools are we who
accept the election and plan for another like it?

--
gentoo-security@gentoo.org mailing list