From: Kurt Lieber <klieber@gentoo.org>
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] The solution and hopefully the end.
Date: Wed, 10 Nov 2004 13:52:02 +0000 [thread overview]
Message-ID: <20041110135202.GQ10927@mail.lieber.org> (raw)
In-Reply-To: <41919EC1.5010809@awry.ws>
[-- Attachment #1: Type: text/plain, Size: 2753 bytes --]
On Tue, Nov 09, 2004 at 08:53:21PM -0800 or thereabouts, Chris Haumesser wrote:
> Devs, what have you to lose by helping us do this? I don't think I
> understand the resistance, outside of the emotional reaction triggered
> by this thread's initiator.
The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here. I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.
This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do. I
think it's safe to say that all of the other developers share that same
motivation. If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.
You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction. Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless. That's fine -- I don't begrudge them because I do what I do
because I enjoy it. So, when taking a stand on what you feel to be an
important issue, keep this in mind: It does not matter if you are morally
right. It does not matter if the issue is serious. If you take the fun
out of developing this distro, Gentoo will die, period.
Anyway, enough preaching. This thread has gone on long enough. The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync. (/snapshots directory on your
favorite source mirror)
This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure. emerge-webrsync will be hacked up to provide verification
support for it. I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution. It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.
--kurt
P.S. I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred. If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-11-10 13:52 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-10 2:05 [gentoo-security] Out of air Denis Roy
2004-11-10 4:35 ` [gentoo-security] " Chris Frey
2004-11-10 4:53 ` Chris Haumesser
2004-11-10 5:08 ` Jason Stubbs
2004-11-10 7:02 ` Chris Haumesser
2004-11-10 7:04 ` Chris Haumesser
2004-11-10 7:22 ` Marius Mauch
2004-11-10 10:03 ` Dominik Schäfer
2004-11-10 13:52 ` Kurt Lieber [this message]
2004-11-10 14:00 ` [gentoo-security] The solution and hopefully the end Anthony Metcalf
2004-11-10 14:24 ` [gentoo-security] " Chris Frey
2004-11-10 18:15 ` [gentoo-security] " Gary Nichols
2004-11-10 19:02 ` Joey McCoy
2004-11-10 19:20 ` Michael Gruenberger
2004-11-10 19:57 ` Joey McCoy
2004-11-10 21:22 ` Glen Combe
2004-11-10 21:57 ` William Barnett
2004-11-10 19:26 ` DeadManMoving
2004-11-10 22:17 ` [gentoo-security] " Thomas Kirchner
2004-11-10 22:20 ` Jeff Smelser
2004-11-10 22:26 ` dan
2004-11-10 23:42 ` [gentoo-security] " Thomas Kirchner
2004-11-11 1:16 ` [gentoo-security] " James A. Cox
2004-11-11 1:19 ` Jason Stubbs
2004-11-11 5:45 ` [gentoo-security] " Peter Simons
2004-11-11 8:41 ` [gentoo-security] just can't let it die Chris Haumesser
2004-11-11 9:14 ` Sune Kloppenborg Jeppesen
2004-11-11 10:56 ` [gentoo-security] The solution and hopefully the end Paul de Vrieze
2004-11-10 5:00 ` [gentoo-security] Re: Out of air Jason Stubbs
2004-11-10 12:54 ` Antoine Martin
2004-11-10 12:46 ` Rui Pedro Figueira Covelo
2004-11-10 13:10 ` Antoine Martin
2004-11-10 12:55 ` Klaus Wagner
2004-11-10 13:15 ` Andreas Waschbuesch
2004-11-10 13:26 ` Antoine Martin
2004-11-10 13:31 ` Anthony Metcalf
2004-11-10 14:03 ` Antoine Martin
2004-11-10 13:55 ` Anthony Metcalf
2004-11-10 14:04 ` Calum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041110135202.GQ10927@mail.lieber.org \
--to=klieber@gentoo.org \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox