From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13659 invoked from network); 7 Nov 2004 23:27:20 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 23:27:20 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQwRM-0005Xb-7s for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 23:27:20 +0000 Received: (qmail 8950 invoked by uid 89); 7 Nov 2004 23:26:58 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 20145 invoked from network); 7 Nov 2004 23:26:57 +0000 Date: Sun, 7 Nov 2004 23:26:55 +0000 From: Kurt Lieber To: Chris Frey Cc: gentoo-security@lists.gentoo.org Message-ID: <20041107232655.GN10927@mail.lieber.org> Mail-Followup-To: Chris Frey , gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> <20041107154046.GG10927@mail.lieber.org> <20041107120135.C9045@netdirect.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="70vtA4ZRF8MmM5t7" Content-Disposition: inline In-Reply-To: <20041107120135.C9045@netdirect.ca> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-security] Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2) X-Archives-Salt: ec3202c9-f72b-478e-a20f-236c9265d98f X-Archives-Hash: 67354037f46ececd1e186dc3dacd1070 --70vtA4ZRF8MmM5t7 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline On Sun, Nov 07, 2004 at 12:01:35PM -0500 or thereabouts, Chris Frey wrote: > Plus, the glibc ebuild maintainer should be tracking the changes. He knows > what's going on in glibc land, he knows the build process, he should be > in touch with the main developers, and he should be reading the diffs. If you believe this happens for even 20% of the packages in our tree, you're mistaken. Most devs look at changelogs. Few devs look at code diffs. Note I did not say "Gentoo devs". > I would instead recommend that he compare Gentoo to other distros that take > package signing more seriously. It may be that the features and benefits > of a source-based distro like Gentoo outweigh the need for signed ebuilds, > like it does for me on one of my machines. But it also may mean that > some machines require the security and peace of mind of another distro's > signing practices and verification policies. Other machines I admin > fall into this category as well. I would recommend that you, along with the other folks who have misunderstood what this thread is about go back and re-read the original post. This has nothing to do with signed ebuilds in portage. Signed ebuilds in portage is something that is already implemented and supported as an experimental feature as of 2.0.51: http://www.gentoo.org/news/20041021-portage51.xml The original poster was talking about the inability to verify *eclasses*, not ebuilds. eclasses are an important part of portage from a features and functionality perspective, but they make up a small fraction of the overall tree in terms of sheer number of files. My point was and still is that investing the time and effort to also sign these files isn't worth it given the myriad of other larger holes that already exist further upstream. We can argue all day long about whether or not to stick our finger in the dike to plug the leak we see, but if there's a 3x3 hole just around the bend that's gushing water, are we really serving any useful purpose? Or, to leverage one of the primary tenets of FOSS -- if there are folks on the list who truly believe this is a hole that should be fixed, provide patches to portage to add this functionality. It already supports signing to some degree -- one could reasonably assume that adding support for signing of eclasses is relatively easy for a competent python programmer. --kurt --70vtA4ZRF8MmM5t7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBjq8/JPpRNiftIEYRAgExAJ9vtA5WpaRveo8JITcxbac+EBE42gCcCfhg yiwRx0YMqrtgO1WLjNoB63k= =TbN2 -----END PGP SIGNATURE----- --70vtA4ZRF8MmM5t7--