From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-security-return-1520-arch-gentoo-security=gentoo.org@lists.gentoo.org>
Received: (qmail 11665 invoked from network); 8 Nov 2004 02:39:40 +0000
Received: from smtp.gentoo.org (156.56.111.197)
  by lists.gentoo.org with AES256-SHA encrypted SMTP; 8 Nov 2004 02:39:40 +0000
Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org)
	by smtp.gentoo.org with esmtp (Exim 4.41)
	id 1CQzRU-00001r-24
	for arch-gentoo-security@lists.gentoo.org; Mon, 08 Nov 2004 02:39:40 +0000
Received: (qmail 250 invoked by uid 89); 8 Nov 2004 02:39:18 +0000
Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-security@gentoo.org>
List-Help: <mailto:gentoo-security-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Received: (qmail 14363 invoked from network); 8 Nov 2004 02:39:18 +0000
From: Jason Stubbs <jstubbs@work-at.co.jp>
Organization: Work@ Inc
To: gentoo-security@lists.gentoo.org
Date: Mon, 8 Nov 2004 11:40:09 +0900
User-Agent: KMail/1.7.1
References: <418ED3B7.5030608@ahsoftware.de>
In-Reply-To: <418ED3B7.5030608@ahsoftware.de>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200411081140.09816.jstubbs@work-at.co.jp>
Subject: Re: [gentoo-security] Gentoo's security
X-Archives-Salt: 9a0c39d7-b195-4579-a3f9-dead75385256
X-Archives-Hash: 1b52bcf5d4f1b0487555c5340c1c94cb

On Monday 08 November 2004 11:02, Alexander Holler wrote:
> So you have on the one side carefully crafted environments to protect
> the system/user from software-failures or attackers, but on the other
> side there is portage which is run regulary and is fetching scripts from
> the internet which are run unchecked by root.
>
> I think this explains why I doesn't understand that nobody cares about
> that.

It really seems to me like you are trolling. The first email you sent was done 
so after getting frustrated with Mike Frysinger's (vapier) closing of the 
"versioned eclasses" bug. Yet, what you are talking about here is absolutely 
nothing to do with that. You made most of the same statements on the bug, but 
they were off-topic in that bug's context as well. Furthermore, there is 
already another bug open for that off-topicness.

So, let me give you an account of where I see things are at:
* SHA1 support is in portage but can't be enabled yet due to compatibility 
  issues. That is, enabling it will prevent user's running <portage-2.0.51 
  from being able to upgrade.
* Ebuild signing support is in portage and is starting to be adopted. 
  Presently, there is a push for developer education.
* CVS portage now runs most ebuild phases as the portage user rather than 
  root and work is being done to support the last few as well.
* Eclass, package and profile signing are all currently being worked on (and 
  had begun before you started trolling)

The thing you seem to keep coming back to is why it hasn't already been 
completed. You've been given the answer to that several times - lack of time 
and higher priority issues. What I really would like to know is why you are 
trying to tie up so much more of the time of the people that you would have 
implement support for these critical features with these pointless emails?

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list