* [gentoo-security] unsubscribe me -- I've had enough @ 2004-11-11 18:56 Lee Bowyer 2004-11-11 19:18 ` Jeff Smelser 2004-11-11 19:30 ` Matthew Baxa 0 siblings, 2 replies; 12+ messages in thread From: Lee Bowyer @ 2004-11-11 18:56 UTC (permalink / raw To: gentoo-security yeah? see subject... what a pointless list. -- Lee Bowyer Lee@networkpenetration.com www.networkpenetration.com -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough 2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer @ 2004-11-11 19:18 ` Jeff Smelser 2004-11-11 19:30 ` Matthew Baxa 1 sibling, 0 replies; 12+ messages in thread From: Jeff Smelser @ 2004-11-11 19:18 UTC (permalink / raw To: gentoo-security [-- Attachment #1: Type: text/plain, Size: 163 bytes --] On Thursday 11 November 2004 12:56 pm, Lee Bowyer wrote: > yeah? see subject... > what a pointless list. Oh, let me get out my violin and hanky.. Jeff [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough 2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer 2004-11-11 19:18 ` Jeff Smelser @ 2004-11-11 19:30 ` Matthew Baxa 2004-11-11 19:19 ` Gary Nichols 1 sibling, 1 reply; 12+ messages in thread From: Matthew Baxa @ 2004-11-11 19:30 UTC (permalink / raw To: gentoo-security Don't send unsubscribe requests to the list, follow the directions in the headers. On Nov 11, 2004, at 12:56 PM, Lee Bowyer wrote: > yeah? see subject... > what a pointless list. > > -- > > Lee Bowyer > Lee@networkpenetration.com > www.networkpenetration.com > > -- > gentoo-security@gentoo.org mailing list > > > ----------- Matthew Baxa <mbaxa@k-state.edu> Application Services Administrator Office of Mediated Education CC 55 -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough 2004-11-11 19:30 ` Matthew Baxa @ 2004-11-11 19:19 ` Gary Nichols 2004-11-11 19:37 ` Matthew Baxa 2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis 0 siblings, 2 replies; 12+ messages in thread From: Gary Nichols @ 2004-11-11 19:19 UTC (permalink / raw To: gentoo-security On Thu, 11 Nov 2004, Matthew Baxa wrote: > Don't send unsubscribe requests to the list, follow the directions in the > headers. <My two cents> I think he sent it to the list as a matter of protest. </My two cents> -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] unsubscribe me -- I've had enough 2004-11-11 19:19 ` Gary Nichols @ 2004-11-11 19:37 ` Matthew Baxa 2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis 1 sibling, 0 replies; 12+ messages in thread From: Matthew Baxa @ 2004-11-11 19:37 UTC (permalink / raw To: Gary Nichols; +Cc: gentoo-security I realize this, but it still was childish. "I'm not talking to you any more so there!" :) On Nov 11, 2004, at 1:19 PM, Gary Nichols wrote: > On Thu, 11 Nov 2004, Matthew Baxa wrote: > >> Don't send unsubscribe requests to the list, follow the directions in >> the headers. > > <My two cents> > > I think he sent it to the list as a matter of protest. > > </My two cents> > > > -- > gentoo-security@gentoo.org mailing list > > ----------- Matthew Baxa <mbaxa@k-state.edu> Application Services Administrator Office of Mediated Education CC 55 -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* [gentoo-security] Maybe a new approach? 2004-11-11 19:19 ` Gary Nichols 2004-11-11 19:37 ` Matthew Baxa @ 2004-11-11 19:43 ` James Dennis 2004-11-11 19:55 ` Jeff Smelser 1 sibling, 1 reply; 12+ messages in thread From: James Dennis @ 2004-11-11 19:43 UTC (permalink / raw To: gentoo-security So much of the recent chatter could've been held in irc or some other medium. Would it be stupid to have scheduled irc meetings at some point when list posting gets out of hand like this? A digest could be posted to the list to explain what happened in the meeting. I primarily read this list for advisories and new ideas, but would prefer a list of ideas or methods be broken apart into something more readable and lacking flames and in fewer emails. James On Nov 11, 2004, at 2:19 PM, Gary Nichols wrote: > On Thu, 11 Nov 2004, Matthew Baxa wrote: > >> Don't send unsubscribe requests to the list, follow the directions in >> the headers. > > <My two cents> > > I think he sent it to the list as a matter of protest. > > </My two cents> > > > -- > gentoo-security@gentoo.org mailing list > > -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis @ 2004-11-11 19:55 ` Jeff Smelser 2004-11-11 20:11 ` Glen Combe 0 siblings, 1 reply; 12+ messages in thread From: Jeff Smelser @ 2004-11-11 19:55 UTC (permalink / raw To: gentoo-security [-- Attachment #1: Type: text/plain, Size: 574 bytes --] On Thursday 11 November 2004 01:43 pm, James Dennis wrote: > I primarily read this list for advisories and new ideas, but would > prefer a list of ideas or methods be broken apart into something more > readable and lacking flames and in fewer emails. wtf did you guys think you were doing when you signed up? If you want announcements, join the security announcement list.. This is for security related discussion.. From the site: gentoo-security -- For the discussion of security issues and fixes KEY WORD DISCUSSION.. This is friggin list.. Jeff [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 19:55 ` Jeff Smelser @ 2004-11-11 20:11 ` Glen Combe 2004-11-11 20:20 ` Kurt Lieber 0 siblings, 1 reply; 12+ messages in thread From: Glen Combe @ 2004-11-11 20:11 UTC (permalink / raw To: gentoo-security the key word being discussion. So we have peters fix. are there any others? Kurt can you clarify this for me or give me more detail... on what you mean what you say below? What is the more robust solution? I dont recall reading it here? "The solution that Peter is requesting (generating hashes of files not already hashed and then signing all Manifests/hashes) is considerably more risky and is not something I will implement since we have a more robust, better solution in the works already." Thanks ----- Original Message ----- From: "Jeff Smelser" <tradergt@smelser.org> To: <gentoo-security@lists.gentoo.org> Sent: Thursday, November 11, 2004 12:55 PM Subject: Re: [gentoo-security] Maybe a new approach? -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 20:11 ` Glen Combe @ 2004-11-11 20:20 ` Kurt Lieber 2004-11-11 20:31 ` Glen Combe 0 siblings, 1 reply; 12+ messages in thread From: Kurt Lieber @ 2004-11-11 20:20 UTC (permalink / raw To: gentoo-security [-- Attachment #1: Type: text/plain, Size: 868 bytes --] On Thu, Nov 11, 2004 at 01:11:15PM -0700 or thereabouts, Glen Combe wrote: > Kurt can you clarify this for me or give me more detail... on what you > mean what you say below? What is the more robust solution? I dont recall > reading it here? > > "The solution that Peter is requesting (generating hashes of files not > already hashed and then signing all Manifests/hashes) is considerably more > risky and is not something I will implement since we have a more robust, > better solution in the works already." It's been mentioned numerous times. The strategic approach to fixing this issue is taking the work we've already put into signed manifests and extending it to cover other files as well (eclasses, profiles, etc.) There is an open RFE bug for this and Jason (one of our portage devs) has already said they're working on it. --kurt [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 20:20 ` Kurt Lieber @ 2004-11-11 20:31 ` Glen Combe 2004-11-11 20:33 ` Kurt Lieber 2004-11-12 10:00 ` Marius Mauch 0 siblings, 2 replies; 12+ messages in thread From: Glen Combe @ 2004-11-11 20:31 UTC (permalink / raw To: gentoo-security Kurt. Detail of time and implemention is what I have in mind. I sense you might have a good feel for that? Weeks? Months? ----- Original Message ----- From: "Kurt Lieber" <klieber@gentoo.org> To: <gentoo-security@lists.gentoo.org> Sent: Thursday, November 11, 2004 1:20 PM Subject: Re: [gentoo-security] Maybe a new approach? -- gentoo-security@gentoo.org mailing list ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 20:31 ` Glen Combe @ 2004-11-11 20:33 ` Kurt Lieber 2004-11-12 10:00 ` Marius Mauch 1 sibling, 0 replies; 12+ messages in thread From: Kurt Lieber @ 2004-11-11 20:33 UTC (permalink / raw To: gentoo-security [-- Attachment #1: Type: text/plain, Size: 275 bytes --] On Thu, Nov 11, 2004 at 01:31:14PM -0700 or thereabouts, Glen Combe wrote: > Detail of time and implemention is what I have in mind. I sense you might > have a good feel for that? Weeks? Months? Nope, I have no sense whatsoever, so I won't even hazard a guess. --kurt [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-security] Maybe a new approach? 2004-11-11 20:31 ` Glen Combe 2004-11-11 20:33 ` Kurt Lieber @ 2004-11-12 10:00 ` Marius Mauch 1 sibling, 0 replies; 12+ messages in thread From: Marius Mauch @ 2004-11-12 10:00 UTC (permalink / raw To: gentoo-security [-- Attachment #1: Type: text/plain, Size: 2036 bytes --] On Thu, 11 Nov 2004 13:31:14 -0700 "Glen Combe" <gcombe@co.weber.ut.us> wrote: > Kurt. > > Detail of time and implemention is what I have in mind. I sense you > might have a good feel for that? Weeks? Months? Well, first lets see what we're still missing implementation-wise: 1) checksums/signatures for eclasses, profiles, the "scripts" dir and maybe a few others 2) enforcement for devs to sign their packages 3) some kind of PKI for portage signing keys 4) better verification support, the current implementation has a few problems (performance sucks and key management is almost completely manual) 5) stuff I forgot to mention here So now what needs to be done to fix these points: 1) a) decide how these files are to be signed/verified (one Manifest for all eclasses, individual signatures, ...) b) modify repoman to work in those dirs (currently it's only for package dirs) 2) a) ensure that *ALL* devs use repoman b) change repoman so only signed packages/eclasses/... are committed 3) not sure 4) a) find a way to improve gpg performance b) add support for 3) 5) no clue ;) >From this list, 1a), 2a) and 3) are outside the scope of dev-portage (well, we could make an arbitrary decision for 1a), so I can't give any estimates for them. I also can't give any estimate for 4a) as I don't know if that's possible or 4b) as it depends on 3). So the only points I can give any information on are 1b) and 2b): 1b) shouldn't be too difficult although repoman is tricky piece of software, I'd guess it would take a week or so for an initial implementation (depends on 1a of course) 2b) Tricky to do this in a proper way. Pretty much needs real transaction support in repoman. A 80% solution is pretty simple though (less than a week). I'd need to go into implementation details of repoman to completely explain this. Marius -- Public Key at http://www.genone.de/info/gpg-key.pub In the beginning, there was nothing. And God said, 'Let there be Light.' And there was still nothing, but you could see a bit better. [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2004-11-12 9:00 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-11-11 18:56 [gentoo-security] unsubscribe me -- I've had enough Lee Bowyer 2004-11-11 19:18 ` Jeff Smelser 2004-11-11 19:30 ` Matthew Baxa 2004-11-11 19:19 ` Gary Nichols 2004-11-11 19:37 ` Matthew Baxa 2004-11-11 19:43 ` [gentoo-security] Maybe a new approach? James Dennis 2004-11-11 19:55 ` Jeff Smelser 2004-11-11 20:11 ` Glen Combe 2004-11-11 20:20 ` Kurt Lieber 2004-11-11 20:31 ` Glen Combe 2004-11-11 20:33 ` Kurt Lieber 2004-11-12 10:00 ` Marius Mauch
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox