Re: [gentoo-security] Out of air

Re: [gentoo-security] Out of air

[Denis Roy]

>> The reason why I am being confrontational is that if I
>> hadn't been, NOTHING WOULD HAVE HAPPENED!
>
>
> To be honest, I think the whole thread has achieved nothing. 


Nothing except, as we have all seen, annoying the hell out of many
list suscribers including myself.

> not prompted the beginning of a new initiative in signing the tree
because that was already underway. I very much doubt that it'll speed
up the progress made on that initiative, because the main limiting
factor is time. No matter what is said here, it's not going to make
anybody go out and quit their jobs in order to get tree signing
implemented quicker.


Peter: Why don't you join the effort instead or spending your days and
nights trying to talk people into doing it for you? This is open
source. You don't like it? Change it. If you can't? Learn how to. If
you don't want to, well *SWITCH*. Nobody's holding your balls.

Your "advisory" has been heard. Twice over. Either you help or you
wait. If you can't, move along.

Denis Roy 

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Out of air

[Peter Simons]

RNuno  writes:

 > Still.. being polite would be at least fair.

Fixing a vulnerability that threatens your user's machines
without me having to bitch and moan for _days_ would be
fair, too, and you don't do it either. So I think we are
even.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Anthony Gorecki]

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

On Tuesday 09 November 2004 7:07 pm, Peter Simons wrote:
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

This thread is degenerating into a heated debate to the likes of which I would 
expect from elementary school children. We know what needs to be done, and it 
will be done as soon as the developers are able; I agree with one of the 
previous comments: feel free to implement the code instead of complaining.

Leave it at that.


-- 
Anthony Gorecki
Ectro-Linux Foundation

[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

Re: [gentoo-security] Re: Out of air

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

On 10 Nov 2004 04:07:37 +0100
Peter Simons <simons@cryp.to> wrote:

> RNuno  writes:
> 
>  > Still.. being polite would be at least fair.
> 
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

Did you purchase a support contract? Oh wait, we don't sell those
...</sarcasm>

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air

[Den]

>  > developers of open source software OWES nothing to the
>  > users.
> 
> May I quote that?

feel free but anyway by now your audience is dropping by the minute.

>  > but for now: BE GONE ALREADY.
> 
> Forget it.

then don't be surprised if you end up speaking to yourself. piece of
mind is but one click away... quite easy to achieve with good filters.

so long

*click*


--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Out of air

[Peter Simons]

Den,

when you send carbon copies of a private e-mail exchange to
the mailing list out of the sudden, then please make sure
you don't forget to provide the proper context in your
quotes so that the readers know what it is about. Let me
help you with that:

 > Den writes:
 >
 >  > Peter Simons wrote:
 >
 >  >> Fixing a vulnerability that threatens your user's
 >  >> machines without me having to bitch and moan for _days_
 >  >> would be fair, too, and you don't do it either.
 >
 >  > developers of open source software OWES nothing to the
 >  > users.
 >
 > May I quote that?

Because otherwise it would look as if I had said something I
did not.

No need to apologize. Accidents happen.

Peter


--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Out of air

[Chris Frey]

On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote:
> > not prompted the beginning of a new initiative in signing the tree
>
> because that was already underway. I very much doubt that it'll speed
> up the progress made on that initiative, because the main limiting
> factor is time. No matter what is said here, it's not going to make
> anybody go out and quit their jobs in order to get tree signing
> implemented quicker.

The problem with phrasing it this way is that it implies there is only
one way to address this issue.  It may be true that Gentoo has decided
on only one way to address the issue, but there are other ways to do it.

The current development effort that is underway is not one that can be
implemented overnight, but there is a solution that manages to satisfy
the core needs of this thread that can be implemented overnight.

The requirements are:

	* admin access on the main Gentoo server
	* a cron job
	* a GPG key on the server
	* a script to do the heavy lifting

Of those items, only the script can be written by us normal users,
in order to help out in the Open Source way.  The people with admin
access to the main Gentoo server do not appear willing to install such
a script, even if someone else writes it.  (And I'm sure Peter would
jump at the chance to write it, and practically has already, and I'd
definitely be willing to help.)

I asked this before, and saw no response, so maybe it was missed in the
pile of messages.  I'll ask again:

	If someone posted a working and self-tested script to this mailing
	list, would Gentoo admins be willing to install it, provided it
	passed the peer review on this list?  (i.e. contained no glaring bugs)

If the answer was yes, this thread would be over.

- Chris


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Chris Haumesser]

[-- Attachment #1: Type: text/plain, Size: 3452 bytes --]

Finally, a message I can fully agree with.

As there is a quick and dirty solution to improve the situation -- even 
with the understanding that it is not the "best" or "ideal" solution -- 
I would encourage the gentoo devs to implement it.  It really doesn't 
seem like rocket science.

I do consider it a significant problem that I cannot accurately verify 
that everything in my portage tree came from a trusted source.  Agreed, 
MOTM attacks are not common.  However, it would seem important to have 
some sort of "audit trail" to verify that portage is what it's supposed 
to be.  Not only is this good proactive security, but it might also 
prove useful in tracking the source of some security problem.

An interim signing solution, as mentioned already in this list, would 
provide at least a mechanism (maybe not a great one, but one 
nonetheless) by which a user can verify that the files downloaded to his 
gentoo machine are those the developers intended to distribute.

I trust the devs implicitly, but I do not trust, nor can I control, most 
of the points between them and me.

I think ultimately the existing plan, to implement full gpg signing of 
each file in portage, is definitely the way to go.  In the meantime, 
while the infrastructure is laid for the superior, longterm proposal, 
why not spend an hour to provide an interim, if not ideal, solution?

Devs, what have you to lose by helping us do this?  I don't think I 
understand the resistance, outside of the emotional reaction triggered 
by this thread's initiator.


My $.02.


-C-




Chris Frey wrote:

>On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote:
>  
>
>>>not prompted the beginning of a new initiative in signing the tree
>>>      
>>>
>>because that was already underway. I very much doubt that it'll speed
>>up the progress made on that initiative, because the main limiting
>>factor is time. No matter what is said here, it's not going to make
>>anybody go out and quit their jobs in order to get tree signing
>>implemented quicker.
>>    
>>
>
>The problem with phrasing it this way is that it implies there is only
>one way to address this issue.  It may be true that Gentoo has decided
>on only one way to address the issue, but there are other ways to do it.
>
>The current development effort that is underway is not one that can be
>implemented overnight, but there is a solution that manages to satisfy
>the core needs of this thread that can be implemented overnight.
>
>The requirements are:
>
>	* admin access on the main Gentoo server
>	* a cron job
>	* a GPG key on the server
>	* a script to do the heavy lifting
>
>Of those items, only the script can be written by us normal users,
>in order to help out in the Open Source way.  The people with admin
>access to the main Gentoo server do not appear willing to install such
>a script, even if someone else writes it.  (And I'm sure Peter would
>jump at the chance to write it, and practically has already, and I'd
>definitely be willing to help.)
>
>I asked this before, and saw no response, so maybe it was missed in the
>pile of messages.  I'll ask again:
>
>	If someone posted a working and self-tested script to this mailing
>	list, would Gentoo admins be willing to install it, provided it
>	passed the peer review on this list?  (i.e. contained no glaring bugs)
>
>If the answer was yes, this thread would be over.
>
>- Chris
>
>
>--
>gentoo-security@gentoo.org mailing list
>
>  
>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: [gentoo-security] Re: Out of air

[Jason Stubbs]

On Wednesday 10 November 2004 13:35, Chris Frey wrote:
> On Tue, Nov 09, 2004 at 09:05:41PM -0500, Denis Roy wrote:
> > > not prompted the beginning of a new initiative in signing the tree
> >
> > because that was already underway. I very much doubt that it'll speed
> > up the progress made on that initiative, because the main limiting
> > factor is time. No matter what is said here, it's not going to make
> > anybody go out and quit their jobs in order to get tree signing
> > implemented quicker.
>
> The problem with phrasing it this way is that it implies there is only
> one way to address this issue.  It may be true that Gentoo has decided
> on only one way to address the issue, but there are other ways to do it.

A large part of the 1.5 years was spent discussing the best solution - threads 
not unsimilar to this one. Even to the end, there were still people bringing 
up the point that signing doesn't protect against wayward developers. Even 
so, after reveiwing all the points a decision was reached because most agreed 
that something needed to be done.

> The current development effort that is underway is not one that can be
> implemented overnight, but there is a solution that manages to satisfy
> the core needs of this thread that can be implemented overnight.

I would advise everybody to read through aforementioned discussions in the 
archives of gentoo-dev@gentoo.org before persuing this. Something that 
appears so simple as this on the surface still has a number of sharp edges. 
The infrastructure team would have to do some careful planning and possibly 
restructing of job control on the master rsync and cvs servers. The portage 
team would need to implement support for verifying the signature is valid. 
Whoever else would have to plan and implement distribution of this 
all-powerful key.

But it doesn't stop there. Following this would be plan of action for the case 
that the all-powerful key is compromised. Then there is also the up to six 
month transition period between this solution and the solution that is 
currently being implemented. That also requires careful planning and 
implementation. So.. adding this simple solution now actually more than 
doubles the amount of work that needs to be done down the track.

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Jason Stubbs]

On Wednesday 10 November 2004 13:53, Chris Haumesser wrote:
> I trust the devs implicitly, but I do not trust, nor can I control, most
> of the points between them and me.

Why not just take out those points in between?

GENTOO_MIRRORS="http://gentoo.osuosl.org" emerge-webrsync

The mirror should be whatever is listed first in /etc/make.globals, but that 
line right there guarantees you that you are getting the latest daily 
snapshot of the master rsync mirror from the master distfiles mirror.

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Chris Haumesser]

[-- Attachment #1: Type: text/html, Size: 5513 bytes --]

Re: [gentoo-security] Re: Out of air

[Chris Haumesser]

[-- Attachment #1: Type: text/plain, Size: 3744 bytes --]

 Sorry for the html. Here's a more legible version of my last post:

>Why not just take out those points in between?
>
>GENTOO_MIRRORS="http://gentoo.osuosl.org" emerge-webrsync
>  
>

Huh? How does this protect me from a potential MITM attack at my ISP, or
on my neighbor's insecure wireless network, which my laptop is currently
attached to? A simple traceroute shows sixteen hops between me and
gentoo.osuosl.org. That's sixteen potential opportunities for nastiness.

How can I even be sure that I am connecting to gentoo.osuosl.org, when
rsync is completely anonymous, with no ssl, no certificate chain,
nothing to verify the server's identity other than its rsync banner???

I might care less about about verifying the integrity of my portage
tree, if I could at least be more certain of what server I'm connecting
to! Having neither assurance is a bit unsettling on a production machine.

>The portage 
>team would need to implement support for verifying the signature is valid. 
>
No, they /need/ not, and should not. I would be _thrilled_ to just get a
signature with my tree, that I can manually verify by firing up gpg. No
portage support is necessary for this interim solution. We all know
something better is in the works for portage.

Work on portage should absolutely focus on the better, long-term,
previously agreed-upon solution.

If the devs can just sign the tree, I can verify that my portage is what
the devs intended me to have, and the devs can continue working on the
more polished approach. Work on the best solution moves forward, while
those of us with heightened security needs (today!) can be more
confident of the integrity of our portage trees.

>The infrastructure team would have to do some careful planning and possibly 
>restructing of job control on the master rsync and cvs servers.
>
While there is surely some work in the area of job control, it has been
pointed out already that the proposed solution is not terribly resource
intensive. So unless gentoo's infrastructure is already severely
stretched to the max (is it? how do i know?), I can't see how this is a
huge obstacle. Is there an admin who can weigh in with an informed
answer on this? Too much speculation on this point, not enough fact.

>Following this would be plan of action for the case 
>that the all-powerful key is compromised. 
>
Key management/security/policy is an issue that will need to be
addressed regardless of the mechanics of any signing process, so I don't
see how that is a blocker to this proposal. The idea of a master key is
equally applicable (and optional) to both the proposal on this list, and
the one currently under development.

> Then there is also the up to six 
>month transition period between this solution and the solution that is 
>currently being implemented. 
>
If portage support for this temporary hack is not implemented, there is
clearly no six month transition period. Just that one day, those of us
who have been manually verifying the signature will no longer need to do so.


I must be misunderstanding something, because I still fail to see what
is so terribly difficult or impractical about merely generating a
signature file. Hell, this could already be done and implemented in the
time we've all wasted on this stupid thread.

No one is trying to derail or criticize or block the current
implementation. We just want some basic assurances (now, today) that the
scripts we're downloading are legitimately from the gentoo devs, who we
trust. As it stands, we can verify neither the identity of the rsync
server, nor the integrity of the portage tree we're downloading. That is
indeed a problem. And it's one we can mitigate now, even if the best
solution is still a ways off.


Cheers,


-C-


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: [gentoo-security] Re: Out of air

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 887 bytes --]

On Tue, 09 Nov 2004 23:04:39 -0800
Chris Haumesser <ch@awry.ws> wrote:

> > Then there is also the up to six 
> >month transition period between this solution and the solution that
> >is currently being implemented. 
> >
> If portage support for this temporary hack is not implemented, there
> is clearly no six month transition period. Just that one day, those of
> us who have been manually verifying the signature will no longer need
> to do so.

Well, verifying the signature only shows you that noone has modified the
file containing the hashes, you still have to verify that the hashes
match the actual files and I really doubt that you want to do that
manually for ~100000 files.

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air

[Dominik Schäfer]

Chris Haumesser wrote:

> No, they /need/ not, and should not. I would be _thrilled_ to just
> get a signature with my tree, that I can manually verify by firing up
> gpg. No portage support is necessary for this interim solution. We
> all know something better is in the works for portage.
Mhmm, in that case you will not be able to use portage to get the
portage tree (at least it would not reasonable) because emerge executes
some code from the tree during emerge sync as somebody wrote here two
days ago. If you do not verify the signature + hashes before that, it is
completely senseless to do it all.
And as Marius mentioned you need a solution for checking 100000 hashes
(not just the gpg signature of the file containing the hashes). Somebody
has to write that, even if you don't patch portage.

> While there is surely some work in the area of job control, it has
> been pointed out already that the proposed solution is not terribly
> resource intensive. So unless gentoo's infrastructure is already
> severely stretched to the max (is it? how do i know?), I can't see
> how this is a huge obstacle. Is there an admin who can weigh in with
> an informed answer on this? Too much speculation on this point, not
> enough fact.
I am not a developer and I am basically repeating what people already
mentioned during the last 2 days.
You have to create the hashes and the signature everytime somebody
commits something to tree and you have to take care, that nobody syncs
during that time. So, a simple cronjob (as suggested several times) is
not sufficient. As far as I perceived, some patch to repoman (?) would
be necessary. Certainly those hashes have to be created incrementally to
reduce load and calculation time which also adds some complexicity.

> Key management/security/policy is an issue that will need to be
> addressed regardless of the mechanics of any signing process, so I
> don't see how that is a blocker to this proposal. The idea of a
> master key is equally applicable (and optional) to both the proposal
> on this list, and the one currently under development.
But the PKI and public key policy for Gentoo have not been developed yet
(AFAIK). And that is crucial for even a quick solution as a signature
without defined key policy (and management) is really not worth much.

Of course, all these issues can be solved, but not by the way...

My 2 Eurocents...
Dominik


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Rui Pedro Figueira Covelo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 10 Nov 2004, Antoine Martin wrote:

> 2) To all those saying that code should be submitted, we do not have
> access to the rsync servers needed to code 5 lines of bash.

Can't you start your own rsync server just for testing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SunOS)

iD8DBQFBkg2/fLPhlaxNQk0RAjuBAJ0WSErpthi5NCEx/AoMsd6e5xaLLgCePJ8v
L+hjOLMHr3ofnwUQvrhtodU=
=8+7G
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Antoine Martin]

> > The current development effort that is underway is not one that can be
> > implemented overnight, but there is a solution that manages to satisfy
> > the core needs of this thread that can be implemented overnight.
I second that.

To reply to a few other threads:
1) This is no disrespect to the gentoo devs (kudos here) or the other,
better solution that is in the works. Just a band-aid we would rather
have now.
2) To all those saying that code should be submitted, we do not have
access to the rsync servers needed to code 5 lines of bash.

> I would advise everybody to read through aforementioned discussions in the 
> archives of gentoo-dev@gentoo.org before persuing this. Something that 
> appears so simple as this on the surface still has a number of sharp edges. 
> The infrastructure team would have to do some careful planning and possibly 
> restructing of job control on the master rsync and cvs servers. The portage 
> team would need to implement support for verifying the signature is valid. 
> Whoever else would have to plan and implement distribution of this 
> all-powerful key.
I think we all admit it may take some time, but we are talking about the
quick and dirty solution as a stop-gap measure, nothing else.
And if the better solution takes more than 1.5years to roll out, backup
plans are just common sense - not criticism.

> But it doesn't stop there. Following this would be plan of action for the case 
> that the all-powerful key is compromised. Then there is also the up to six 
> month transition period between this solution and the solution that is 
> currently being implemented. That also requires careful planning and 
> implementation. So.. adding this simple solution now actually more than 
> doubles the amount of work that needs to be done down the track.
Would you care to expand on that?

I is just a cron job and a script, how would that double the amount of
work in the future?!?

Antoine


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Klaus Wagner]

On Wed, Nov 10, 2004 at 12:54:44PM +0000, Antoine Martin wrote:
> I think we all admit it may take some time, but we are talking about the
> quick and dirty solution as a stop-gap measure, nothing else.
> And if the better solution takes more than 1.5years to roll out, backup
> plans are just common sense - not criticism.
> 
> 
> I is just a cron job and a script, how would that double the amount of
> work in the future?!?

I really don't see how this is greatly improving security.
A cronjob, that is AUTOMATICALLY signing everything it get's
wouldn't make me happy.

Security, is not only signation and cryptography.
When it comes to signation, I have to trust every point
in the process, and I don't trust cronjobs and "in memory"
passphrases, or even worse unprotected private keys.

regards klaus


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Antoine Martin]

> On Wed, 10 Nov 2004, Antoine Martin wrote:
> 
> > 2) To all those saying that code should be submitted, we do not have
> > access to the rsync servers needed to code 5 lines of bash.
> 
> Can't you start your own rsync server just for testing?
Sure I can,
but I have been told on this list that the code would have to play nice
with all sorts of other things I do not know/have. So there is little
point in that, is there?


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Andreas Waschbuesch]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

epistula illius Klaus Wagner profluit verbis:
> [...]
> Security, is not only signation and cryptography.
> When it comes to signation, I have to trust every point
> in the process, and I don't trust cronjobs and "in memory"
> passphrases, or even worse unprotected private keys.
>
> regards klaus

Full ACK. Some people pointed this out before (more or less specific). But 
it's no use discussing the everlasting myth of "partial security" and 
"substituting" trust here. The main purpose of those initiating threads 
_seems_ to be something completely different.

Greets - Andy

-- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

Nobody really knows what happiness is, until they're married.
And then it's too late.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air

[Antoine Martin]

On Wed, 2004-11-10 at 13:55 +0100, Klaus Wagner wrote:
> On Wed, Nov 10, 2004 at 12:54:44PM +0000, Antoine Martin wrote:
> > I think we all admit it may take some time, but we are talking about the
> > quick and dirty solution as a stop-gap measure, nothing else.
> > And if the better solution takes more than 1.5years to roll out, backup
> > plans are just common sense - not criticism.
> > 
> > 
> > I is just a cron job and a script, how would that double the amount of
> > work in the future?!?
> 
> I really don't see how this is greatly improving security.
> A cronjob, that is AUTOMATICALLY signing everything it get's
> wouldn't make me happy.
> 
> Security, is not only signation and cryptography.
> When it comes to signation, I have to trust every point
> in the process, and I don't trust cronjobs and "in memory"
> passphrases, or even worse unprotected private keys.
Sure, I agree with you. This is would not solve *all* problems.

But it would solve the problem that this thread started on, which is to
trust all the hops between your box and the gentoo servers. Which is a
greater risk than a compromised gentoo server.


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Anthony Metcalf]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Wed, 10 Nov 2004 13:26:26 +0000
Antoine Martin <antoine@nagafix.co.uk> wrote:

> Sure, I agree with you. This is would not solve *all* problems.
> 
> But it would solve the problem that this thread started on, which is to
> trust all the hops between your box and the gentoo servers. Which is a
> greater risk than a compromised gentoo server.

The point, as many people have said, is that the "simple solution" is not as simple as it looks. The changes necessary to allow having up to date hashes of all the files, the file contining the hashes signed, and the checking of the file, and the hashes, *before* any remote info is run, would add significat develpoment time, prolonging the time for the *better* solution. Not to mention the processing would add a lot of overhead.

Like to guess how long it would take to compile a list of hashes for the 100,000+ files in portage on my 450MHz server?

Yes there is a problem, yes there is a fix, the fix is on it's way, be patient.

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

[gentoo-security] The solution and hopefully the end.

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 2753 bytes --]

On Tue, Nov 09, 2004 at 08:53:21PM -0800 or thereabouts, Chris Haumesser wrote:
> Devs, what have you to lose by helping us do this?  I don't think I 
> understand the resistance, outside of the emotional reaction triggered 
> by this thread's initiator.

The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here.  I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.

This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do.  I
think it's safe to say that all of the other developers share that same
motivation.  If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.

You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction.   Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless.  That's fine -- I don't begrudge them because I do what I do
because I enjoy it.  So, when taking a stand on what you feel to be an
important issue, keep this in mind:  It does not matter if you are morally
right.  It does not matter if the issue is serious.  If you take the fun
out of developing this distro, Gentoo will die, period.   

Anyway, enough preaching.  This thread has gone on long enough.  The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync.  (/snapshots directory on your
favorite source mirror)

This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure.  emerge-webrsync will be hacked up to provide verification
support for it.  I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution.  It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.

--kurt

P.S.  I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred.  If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air

[Anthony Metcalf]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

On Wed, 10 Nov 2004 14:03:07 +0000
Antoine Martin <antoine@nagafix.co.uk> wrote:

> I think someone already tried it on this list, a few minutes IIRC.

real    10m39.694s
user    1m11.500s
sys     2m5.833s

That would make my emerge sync 1/3 longer, and create:

-rw-r--r--  1 nevyn users 7.6M Nov 10 14:51 portage_md5_sums.txt

That is just to create the hashes, and that 7.6M file would have to be added to the portage tree.

*That* isn't even the point though. The point is the work that would have to be done by the devs on a range of systems, and the increased load that would be put on the servers.

You think it would be worth it to have the "band-aid" in a few weeks and the compleate fix in 6 months? I'd rather wait for the compleate fix in the knowledge that I am getting the best alternative sooner.

Let us agree to disagree, after the dev's have made there choice as is their perogative.


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: [gentoo-security] The solution and hopefully the end.

[Anthony Metcalf]

[-- Attachment #1: Type: text/plain, Size: 492 bytes --]

On Wed, 10 Nov 2004 13:52:02 +0000
Kurt Lieber <klieber@gentoo.org> wrote:

> The original fix suggested won't work for a number of reasons that I'm >not
> going to bother to re-hash here. 

re-hash...made me laugh.

>The solution that's been agreeed upon is signing the daily snapshots >that we
> provide for users who can't use rsync.  (/snapshots directory on your
> favorite source mirror)
> 
> robust verification solution in portage itself.

That's so simple it hurts. :)

Thanks Kurt.

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: [gentoo-security] Re: Out of air

[Antoine Martin]

On Wed, 2004-11-10 at 13:31 +0000, Anthony Metcalf wrote:
> On Wed, 10 Nov 2004 13:26:26 +0000
> Antoine Martin <antoine@nagafix.co.uk> wrote:
> 
> > Sure, I agree with you. This is would not solve *all* problems.
> > 
> > But it would solve the problem that this thread started on, which is to
> > trust all the hops between your box and the gentoo servers. Which is a
> > greater risk than a compromised gentoo server.
> 
> The point, as many people have said, is that the "simple solution" is not as simple as it looks. The changes necessary to allow having up to date hashes of all the files, the file contining the hashes signed, and the checking of the file, and the hashes, *before* any remote info is run, would add significat develpoment time, prolonging the time for the *better* solution. Not to mention the processing would add a lot of overhead.
I think this was mentioned before, but the few who would like to check
these signatures would probably not mind having out of date hashes, and
having to resync if they need to emerge that particular package -
assuming it got changed just when they last synced. Or am I missing
something?

> Like to guess how long it would take to compile a list of hashes for the 100,000+ files in portage on my 450MHz server?
I think someone already tried it on this list, a few minutes IIRC.

> Yes there is a problem, yes there is a fix, the fix is on it's way, be patient.
No disrespect, but if it has taken more than 1.5 years already - and I
have not seen any release schedule, why not at least consider a
temporary fix?


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Calum]

This *is* dragging on a bit.

Can we all agree on one thing?

That Gentoo devs signing their ebuilds with individual keys would at least 
make it possible to develop a framework that could take use of that, whatever 
form that framework takes?


Key distribution, and key verification aside, at least signing ebuilds would 
help, and couldn't possible hinder?


-- 

Random russian saying: Working sweat spices your food.

jabber: jcalum@umtstrial.co.uk
pgp: http://gk.umtstrial.co.uk/~calum/keys.php
Linux 2.6.7-hardened-r7 14:02:22 up 52 days, 3:06, 1 user, load average: 2.44, 
2.44, 2.12

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: The solution and hopefully the end.

[Chris Frey]

On Wed, Nov 10, 2004 at 01:52:02PM +0000, Kurt Lieber wrote:
> The original fix suggested won't work for a number of reasons that I'm not
> going to bother to re-hash here.  I did suggest an alternate solution that
> I think is going to work and Peter has agreed to write the code to
> implement it.
[snip]
> This thread has gone on long enough.  The
> solution that's been agreeed upon is signing the daily snapshots that we
> provide for users who can't use rsync.  (/snapshots directory on your
> favorite source mirror)

Fantastic idea!  If you need help writing or testing this script, you guys
know where to find me. :-)  I'm not a python guru, but the main script
shouldn't need much more than bash.

Thanks,
- Chris


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Gary Nichols]

On Wed, 10 Nov 2004, Kurt Lieber wrote:
> This entire thread has been very demotivating to me as a Gentoo developer.
> Please keep in mind that I donate my time because I enjoy what I do.  I
> think it's safe to say that all of the other developers share that same
> motivation.  If you take the enjoyment out of developing Gentoo, it's going
> to die off rather quickly.

I just want to say that I *really* appreciate every minute that the Gentoo 
developers spend on Gentoo, especially the Gentoo SPARC team.  You guys 
deserve much more credit than you are given.  I, for one, will be tipping 
a glass of fine beer tonight in your honor.  :-)

To Kurt and everyone else - THANK YOU.



--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Joey McCoy]

Agreed!!! You Gentoo Developers are terrific! Never before has a distro
matched Gentoo.. the community has been so wonderful.. I am now running
(between work and home) almost a dozen Gentoo boxes, and love it.

Keep up the good work, Developers. Don't let one bad apple ruin it for you
(there's bound to be more of them as Gentoo gets more popular,
unfortunately). Just remember all the positive notes you get from users...

And a note to the users: let's let the developers know how much we
appareciate them a bit more often.. ;)

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>> This entire thread has been very demotivating to me as a Gentoo
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do.  I
>> think it's safe to say that all of the other developers share that same
>> motivation.  If you take the enjoyment out of developing Gentoo, it's
>> going
>> to die off rather quickly.
>
> I just want to say that I *really* appreciate every minute that the Gentoo
> developers spend on Gentoo, especially the Gentoo SPARC team.  You guys
> deserve much more credit than you are given.  I, for one, will be tipping
> a glass of fine beer tonight in your honor.  :-)
>
> To Kurt and everyone else - THANK YOU.
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Michael Gruenberger]

Couldn't agree more! You developers are doing a great job! Please keep
up the great work!

In order to show how much I appreciate your work, I just bought some
stuff from the Gentoo store. I would like to encourage everyone who
enjoys Gentoo as much as I do to do the same!

Please help to keep Kurt and the other developers motivated!

Cheers,

Michael.


On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
> 
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
> 
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)



--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[DeadManMoving]

There has been a lot of negative mail in this thread so another positive
may be welcome!

I would like to let know all the gentoo devs. reading this thread that i
highly appreciate the great works you have done for us, the community,
in the past and that you'll continue to deliver.

I've been using Linux (in fact several distro.) for about ten years now
and Gentoo is by far the one that fills up all my need (even security!).

Thanks to all gentoo devs. for all the time they gave to the community! 

On Wed, 2004-11-10 at 14:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
> 
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
> 
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)
> 
> >
> > On Wed, 10 Nov 2004, Kurt Lieber wrote:
> >> This entire thread has been very demotivating to me as a Gentoo
> >> developer.
> >> Please keep in mind that I donate my time because I enjoy what I do.  I
> >> think it's safe to say that all of the other developers share that same
> >> motivation.  If you take the enjoyment out of developing Gentoo, it's
> >> going
> >> to die off rather quickly.
> >
> > I just want to say that I *really* appreciate every minute that the Gentoo
> > developers spend on Gentoo, especially the Gentoo SPARC team.  You guys
> > deserve much more credit than you are given.  I, for one, will be tipping
> > a glass of fine beer tonight in your honor.  :-)
> >
> > To Kurt and everyone else - THANK YOU.
> >
> >
> >
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
> 
> 
> 
> --
> gentoo-security@gentoo.org mailing list
> 


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Joey McCoy]

Oh cool. I didn't realize buying Gentoo t-shirts and things helped the
developers so much. I will most definitely be purchasing some merchandise,
then!

Btw, I forgot to add that I'm a security nut (often referred to as a
'pedantic' security nut;) ), and Gentoo is the ONLY distro that I've found
to suffice my security needs and it is QUITE easy to implement them
compared to other distros.. :)

> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>> matched Gentoo.. the community has been so wonderful.. I am now running
>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>
>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>> you
>> (there's bound to be more of them as Gentoo gets more popular,
>> unfortunately). Just remember all the positive notes you get from
>> users...
>>
>> And a note to the users: let's let the developers know how much we
>> appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Glen Combe]

that is a great idea....  I think I will follow suit and buy a thing or two
of gentoo...   As well,  I enjoy gentoo and the base principles.  choice....
it all about choice.  That is why gentoo works for me.

 Thanks to devs who have put in the time and hard work.

cheers.
----- Original Message ----- 
From: "Michael Gruenberger" <mgruenb@gmx.net>
To: <gentoo-security@lists.gentoo.org>
Sent: Wednesday, November 10, 2004 12:20 PM
Subject: Re: [gentoo-security] The solution and hopefully the end.


> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> > Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> > matched Gentoo.. the community has been so wonderful.. I am now running
> > (between work and home) almost a dozen Gentoo boxes, and love it.
> >
> > Keep up the good work, Developers. Don't let one bad apple ruin it for
you
> > (there's bound to be more of them as Gentoo gets more popular,
> > unfortunately). Just remember all the positive notes you get from
users...
> >
> > And a note to the users: let's let the developers know how much we
> > appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[William Barnett]

At the risk of being repetitive...

Ditto! (Oh and I just bought some Gentoo gear of my own. I guess I had
better visit OpenBSD.org while I'm at it!!!)

Really, "Thanks!" to all contributors,

Bill - repentant leech
(Unrepentant list lurker)

On or about 11/10/04, many folks wrote:

>  Thanks to devs who have put in the time and hard work.
> 
> cheers.

>> Couldn't agree more! You developers are doing a great job! Please keep
>> up the great work!

>>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>>> matched Gentoo.. the community has been so wonderful.. I am now running
>>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>> 
>>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>>> you



--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: The solution and hopefully the end.

[Thomas Kirchner]

[-- Attachment #1: Type: text/plain, Size: 695 bytes --]

On Wed, Nov 10, 2004 at 11:15:11AM -0700, Gary Nichols wrote:
> I just want to say that I *really* appreciate every minute that the Gentoo 
> developers spend on Gentoo, especially the Gentoo SPARC team.  You guys 
> deserve much more credit than you are given.  I, for one, will be tipping 
> a glass of fine beer tonight in your honor.  :-)

Gentoo is the only distribution/OS that's held my interest and satisfied my computing
needs, and it's all thanks to the devs.  I try to do my part when I can to repay the
community, but without our wonderful devs we wouldn't be here.  Thanks to all of you.
(And don't let the idiots get you down.  Most of us really do appreciate you.)
Tom

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: The solution and hopefully the end.

[Jeff Smelser]

[-- Attachment #1: Type: text/plain, Size: 498 bytes --]

On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:

> Gentoo is the only distribution/OS that's held my interest and satisfied my
> computing needs, and it's all thanks to the devs.  I try to do my part when
> I can to repay the community, but without our wonderful devs we wouldn't be
> here.  Thanks to all of you. (And don't let the idiots get you down.  Most
> of us really do appreciate you.) Tom

Who is an idiot by the way? I am curious who your directing this comment to.

Jeff

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: The solution and hopefully the end.

[dan]

On Wed, 10 Nov 2004 16:20:35 -0600, Jeff Smelser <tradergt@smelser.org> wrote:
> On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:
> 
> > Gentoo is the only distribution/OS that's held my interest and satisfied my
> > computing needs, and it's all thanks to the devs.  I try to do my part when
> > I can to repay the community, but without our wonderful devs we wouldn't be
> > here.  Thanks to all of you. (And don't let the idiots get you down.  Most
> > of us really do appreciate you.) Tom
> 
> Who is an idiot by the way? I am curious who your directing this comment to.
> 
> Jeff
> 

The idiots are the people who will not let this thread die.

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Re: The solution and hopefully the end.

[Thomas Kirchner]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

On Wed, Nov 10, 2004 at 04:20:35PM -0600, Jeff Smelser wrote:
> Who is an idiot by the way? I am curious who your directing this comment to.

I'm sure the devs have occasionally been frustrated by people's actions or comments.
They're doing this for fun, and sometimes users don't understand that.  I try not to show
my hard-headed side here, even when images of 'rtfm' flash through my mind... one of the
best parts of Gentoo is the helpful community.
We all have our people that get to us - though I bet ciaranm's list is longer than most :)
Tom

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] The solution and hopefully the end.

[James A. Cox]

Gary Nichols wrote:

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>
>> This entire thread has been very demotivating to me as a Gentoo 
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do.  I
>> think it's safe to say that all of the other developers share that same
>> motivation.  
>
>
> I just want to say that I *really* appreciate every minute that the 
> Gentoo developers spend on Gentoo, especially the Gentoo SPARC team.  
> You guys deserve much more credit than you are given.  I, for one, 
> will be tipping a glass of fine beer tonight in your honor.  :-)


Hear, hear.  As a (heretofore silent) Gentoo user for about two years, I 
feel certain the vast majority of us feel the way that Gary Nichols does 
and greatly appreciate the work you do.

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] The solution and hopefully the end.

[Jason Stubbs]

On Wednesday 10 November 2004 22:52, Kurt Lieber wrote:
> emerge-webrsync will be hacked up to provide verification support for it.  I 
> don't have any commitments from the portage devs that these changes will be 
> included (emerge-webrsync is part of portage) so this may end up being an 
> unsupported, use-at-your-own-risk solution.     

emerge-webrsync is on it's way out to be integrated with portage - already in 
CVS actually - but the checking of a manifest can be integrated just as 
easily providing the "standard" PORTAGE_GPG_DIR et al configuration is used. 
Consider this "official" commitment. :)

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: The solution and hopefully the end.

[Peter Simons]

Kurt Lieber writes:

 > The original fix suggested won't work for a number of
 > reasons that I'm not going to bother to re-hash here.

I'd like to fill that little blank in.

The reason why 99.9% of the Gentoo users can't authenticate
any of the software they use is that some high-profile
Gentoo system administrator is too dumb to realize that ...

 (1) you don't need to generate hashes for any of the files
     that are covered by the manifests, because -- surprise
     -- the manifests do contain their hashes already.

 (2) you don't need to regenerate a hash when the file
     hasn't changed since the last time you generated one.

 (3) adding a single command to CVSROOT/commitinfo would
     generate a hash for every file the moment a change was
     committed so that there was absolutely no timing
     problem and almost no increase in load on the server.


 > Quite frankly, a lot of the users out there are leeches
 > who don't provide anything back to the Gentoo community,
 > but consume our software nonetheless.

Since this comment is obviously directed at me, I suggest
you grep your unauthenticated Portage database for my name,
dumb-ass. Quite frankly, not everybody is as hung up on what
he all does for Gentoo and mentions it at every second
opportunity.


 > P.S. I do not want anyone to think that this solution is
 > being implemented because of the bitching and screaming
 > that occurred.

No. It is implemented because I did it.


I apologize for flaming on the list, but after being lied
to, being called an asshole, being called a jackass, being
called a public stink, being told to fuck off, and all that
because I dare request that someone simply stops standing in
the way when others are trying to increase the security of
Gentoo's users -- and that on the SECURITY mailing list, for
crying out loud --, I really don't feel there is any need to
be polite anymore.

And please don't misunderstand me. There are people who
deserved it a LOT more to be flamed than Kurt. Definitely.
But some of those guys are *so* dumb that it's really not
worth it.

And now I'll do what some real tough security experts here
wanted all along. I'll cease posting.

Until next time.

Peter


--
gentoo-security@gentoo.org mailing list

[gentoo-security] just can't let it die

[Chris Haumesser]

[-- Attachment #1: Type: text/plain, Size: 3897 bytes --]

Sorry guys,


I just can't let go of this thread.  I've become Dependant upon it for 
my daily dose of drama.  I NEED to hear people flame and bicker all day 
long...!!

Seriously though, this thread about portage signing has made me think 
more thoroughly about gentoo and its security needs.

I decided tonight to take a step back, and look at what the gentoo web 
site has to say about security.  And the answer, which came as a 
surprise to me, was very little.


I'm not sure how to interpret this.  I will admit that I have not yet 
surveyed other open source projects' websites to compare their relative 
emphases on security.  But I was surprised to see how little mention 
this big issue receives in the gentoo press, so to speak. 

It occurs to me that this lack of transparency is perhaps somewhat to 
blame for the flame war that we're all hopefully healing from by now.  I 
really don't know what I should expect from gentoo in terms of security, 
other than having a general understanding that upstream packages will be 
maintained with security fixes.  But clearly, creating a secure distro 
involves more than just package maintenance.  And clearly, more _IS_ 
being done than just upstream package maintenance.  I just have no idea 
what.

In other words, I don't see any mention of security in the gentoo 
philosophy or in the social contract.  With all of the "fix it yourself 
if you don't like it" comments I've seen in this thread, I wonder if it 
would be constructive to ask some pointed questions that get to the 
heart of the matter: 


What should be the extent of gentoo's social responsibility to insure 
the security and integrity of its software?  How can this be made 
transparent to users?  Are security ethics worthy of mention in the 
social contract?

Is there a written policy for determining what issues warrant the 
issuance of a GLSA?  If so, where?  If not, should there be?

What part does security -- and by this, I mean security as a concept, as 
an important consideration that keeps the Internet from imploding as 
well as keeping nasty things away from our workstations -- play in the 
gentoo philosophy?  Does gentoo believe that security is a point of 
primary importance to an OS?  (surely yes!)  Should some mention of this 
be included in our philosophy statement? 

What does the gentoo developer handbook have to say about security?  
Should it address the security expectations we have of software developers?

What about users who lack the technical ability to "fix it themselves"?  
Do we just want them to go back to Windoze, since they don't know any 
python or C?  Or do we have a rudimentary obligation to provide them 
with some (how much?) degree of security out of the box?  How should we 
inform users of what to expect?

To what extent should the community be involved in managing security 
issues?  What mechanisms exist for this?  Should there be a more 
streamlined way for users to see what the status of current security 
efforts is?

Is there a set of criteria we can agree on that might aid us in 
assessing the severity of a threat and need for a fix, in a way that is 
reasonable and fair?  How are potential threats currently assessed?  
What should someone do if they think a serious problem is being 
overlooked or actively ignored?  Is there a way to set up some 
protocols/procedures that might avoid this kind of flame war in the future?


I hope no one sees this as trolling.  I'm not trying to start another 
flame war, but I think these are all fundamental, legitimate questions 
raised by this thread.  Where exactly _does_ the gentoo project stand on 
security?  And how do I find out?  This is a key piece of missing 
perspective.



Cheers,



-C-


PS - In the midst of all the (much-deserved!) dev glorification, I want 
to also thank Peter for sticking to his convictions and moving this 
issue forward.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: [gentoo-security] just can't let it die

[Sune Kloppenborg Jeppesen]

[-- Attachment #1: Type: text/plain, Size: 1893 bytes --]

I'm short on time so here's a quick answer to your questions.

On Thursday 11 November 2004 09:41, Chris Haumesser wrote:
<snip>
> Is there a written policy for determining what issues warrant the
> issuance of a GLSA?  If so, where?  If not, should there be?

http://security.gentoo.org should provide you with the pointers requested.

> What does the gentoo developer handbook have to say about security?
> Should it address the security expectations we have of software developers?

I would say yes, but noone has done it yet.

> To what extent should the community be involved in managing security
> issues?  What mechanisms exist for this?  Should there be a more
> streamlined way for users to see what the status of current security
> efforts is?

As with most of the development process there is http://bugs.gentoo.org.

But I'm all ears for other proposals, we love contributions.

> Is there a set of criteria we can agree on that might aid us in
> assessing the severity of a threat and need for a fix, in a way that is
> reasonable and fair?  How are potential threats currently assessed?

See Vulnerability Policy on the above page.

> What should someone do if they think a serious problem is being
> overlooked or actively ignored?  Is there a way to set up some
> protocols/procedures that might avoid this kind of flame war in the future?

File a security bug at http://bugs.gentoo.org

>
> I hope no one sees this as trolling.  I'm not trying to start another
> flame war, but I think these are all fundamental, legitimate questions
> raised by this thread.  Where exactly _does_ the gentoo project stand on
> security?  And how do I find out?  This is a key piece of missing
> perspective.
http://www.gentoo.org -> Security Announcements

-- 
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] The solution and hopefully the end.

[Paul de Vrieze]

[-- Attachment #1: Type: text/plain, Size: 2070 bytes --]

On Wednesday 10 November 2004 14:52, Kurt Lieber wrote:
> Anyway, enough preaching.  This thread has gone on long enough.  The
> solution that's been agreeed upon is signing the daily snapshots that
> we provide for users who can't use rsync.  (/snapshots directory on
> your favorite source mirror)

All right, repeating it is not usefull.

>
> This provides the ability to verify the integrity of every single file
> under /usr/portage/ and requires very little changes to our existing
> infrastructure.  emerge-webrsync will be hacked up to provide
> verification support for it.  I don't have any commitments from the
> portage devs that these changes will be included (emerge-webrsync is
> part of portage) so this may end up being an unsupported,
> use-at-your-own-risk solution.  It does not take away from or alter the
> plans to implement a much better, more robust verification solution in
> portage itself.

Well, finally some useable solution. I'm fairly confident that the portage 
devs will support it. I think it can be an acceptable measure until the 
final measures are finalized.

Paul

> P.S.  I do not want anyone to think that this solution is being
> implemented because of the bitching and screaming that occurred.  If
> someone had posted a message to the list before all this broke out
> suggesting this solution and volunteering to write the code for it, it
> would be in place by now. That's another way of saying that we didn't
> have to go through all this unpleasantness...

ps. I'm fairly confident that all the bashing has in general been 
counterproductive. I certainly have still about 100 mails on the mailing 
list laying about, which I don't intend to read. I don't care much about 
flamewars, and might certainly have missed productive suggestions.

At least now there is a good temporary measure, and we can now focus on 
how the keychain maintenance can be handled (for the final solution)

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]