[gentoo-security] Gentoo's security

[gentoo-security] Gentoo's security

[Alexander Holler]

Hi again,

I couldn't resist and have read some messages, and I belive some people 
are missing the point.

It's really easy:

There are many kinds of funny security things in a Linux/Unix 
environment to protect the user from software failures (like typos rm ./ 
-> rm /) or attackers. People normally don't use the root account, are 
building chroots for specific programs, some programs are getting 
special rights or user accounts, or even stuff like selinux and grsecurity.
Portage/emerge also does some things, there are the digests which 
ensures that the software fetched is not changed (again either by error 
or an attacker) and there is the sandbox to ensure the 
installation-scripts from the packages don't delete or overwrite files 
they shouldn't (again either by error or an attacker).

But then there are the ebuilds and the eclasses. This are scripts often 
changed and fetched unchecked from the internet.

And those are normally run as root.

And this normally happens on a daily or weekly basis.

So you have on the one side carefully crafted environments to protect 
the system/user from software-failures or attackers, but on the other 
side there is portage which is run regulary and is fetching scripts from 
the internet which are run unchecked by root.

I think this explains why I doesn't understand that nobody cares about that.

Kind regards,

Alexander Holler

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Gentoo's security

[Jason Stubbs]

On Monday 08 November 2004 11:02, Alexander Holler wrote:
> So you have on the one side carefully crafted environments to protect
> the system/user from software-failures or attackers, but on the other
> side there is portage which is run regulary and is fetching scripts from
> the internet which are run unchecked by root.
>
> I think this explains why I doesn't understand that nobody cares about
> that.

It really seems to me like you are trolling. The first email you sent was done 
so after getting frustrated with Mike Frysinger's (vapier) closing of the 
"versioned eclasses" bug. Yet, what you are talking about here is absolutely 
nothing to do with that. You made most of the same statements on the bug, but 
they were off-topic in that bug's context as well. Furthermore, there is 
already another bug open for that off-topicness.

So, let me give you an account of where I see things are at:
* SHA1 support is in portage but can't be enabled yet due to compatibility 
  issues. That is, enabling it will prevent user's running <portage-2.0.51 
  from being able to upgrade.
* Ebuild signing support is in portage and is starting to be adopted. 
  Presently, there is a push for developer education.
* CVS portage now runs most ebuild phases as the portage user rather than 
  root and work is being done to support the last few as well.
* Eclass, package and profile signing are all currently being worked on (and 
  had begun before you started trolling)

The thing you seem to keep coming back to is why it hasn't already been 
completed. You've been given the answer to that several times - lack of time 
and higher priority issues. What I really would like to know is why you are 
trying to tie up so much more of the time of the people that you would have 
implement support for these critical features with these pointless emails?

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Trolling (was: Gentoo's security)

[Alexander Holler]

Jason Stubbs wrote:
> On Monday 08 November 2004 11:02, Alexander Holler wrote:
...
> It really seems to me like you are trolling. The first email you sent was done 
> so after getting frustrated with Mike Frysinger's (vapier) closing of the 
> "versioned eclasses" bug. Yet, what you are talking about here is absolutely 
> nothing to do with that. You made most of the same statements on the bug, but 
> they were off-topic in that bug's context as well. Furthermore, there is 
> already another bug open for that off-topicness.

Yes I'm trolling and I doesn't take care about opening and writing tons 
of bugs if they got ignored or closed as worksforme/wontfix. I've 
written enough bugs and somewhere came to the point that written bugs is 
a useless spend of time.

In the bug I mentioned in my second post, I explain that the trojan for 
ebuilds is also usable on eclasses (which I've missed because they where 
relativly new and I've never used them). Ok, unrelated according to you.

And the second post, I also have reminder on the first post, where the 
first bug is mentioned where I explain how a list with hashes would 
help. Ok, very complicated and unrelated too.

> So, let me give you an account of where I see things are at:
> * SHA1 support is in portage but can't be enabled yet due to compatibility 
>   issues. That is, enabling it will prevent user's running <portage-2.0.51 
>   from being able to upgrade.

I still don't understand why just building a list with hashes (maybe 
signed) takes over 2 years.

> * Ebuild signing support is in portage and is starting to be adopted. 
>   Presently, there is a push for developer education.
> * CVS portage now runs most ebuild phases as the portage user rather than 
>   root and work is being done to support the last few as well.
> * Eclass, package and profile signing are all currently being worked on (and 
>   had begun before you started trolling)

You don't have to repeat that "trolling'. I think everyone has 
understood where gentoo is going too. emerge moo!

> The thing you seem to keep coming back to is why it hasn't already been 
> completed. You've been given the answer to that several times - lack of time 
> and higher priority issues. What I really would like to know is why you are 

Things like FEATURES="candy"?

> trying to tie up so much more of the time of the people that you would have 
> implement support for these critical features with these pointless emails?

Yes I'm totally pointless. It is unbelievable, but I'm too thinking that 
eclasses are totally breaking the ebuild-versioning scheme. I'm so 
pointless, I can't explain why.

Sorry, but as a troll I am, I'm now really leaving this list alone. I 
have to troll.

Trolling,

Alexander

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Trolling (was: Gentoo's security)

[Jason Stubbs]

On Monday 08 November 2004 13:15, Alexander Holler wrote:
> In the bug I mentioned in my second post, I explain that the trojan for
> ebuilds is also usable on eclasses (which I've missed because they where
> relativly new and I've never used them). Ok, unrelated according to you.

This is unrelated to versioning of eclasses. There is another bug open for 
signing of eclasses.

> And the second post, I also have reminder on the first post, where the
> first bug is mentioned where I explain how a list with hashes would
> help. Ok, very complicated and unrelated too.

Nobody denied that they wouldn't help. Scaring people definately does not help 
though.

> > So, let me give you an account of where I see things are at:
> > * SHA1 support is in portage but can't be enabled yet due to
> > compatibility issues. That is, enabling it will prevent user's running
> > <portage-2.0.51 from being able to upgrade.
>
> I still don't understand why just building a list with hashes (maybe
> signed) takes over 2 years.

I came on board with the portage team 12 months ago. One dev left and there is 
one new dev since then, which makes five. All of us are busy with non-Gentoo 
work, especially over the last several months. I'd estimate a total of 40-50 
man-hours put into portage each week.

Those 40-50 hours mostly go toward bug fixing as portage the code is a mess. 
It's become a mess because of the push to get this, that and the other 
feature in as quickly as possible. To give you a visible example, take the 
recent GPG signing support. Search bugs.g.o for gpg signing and have a look 
how many there are. How about glsa-check?

Most features in portage are implemented in a very hackish way because people 
are always screaming "NOW!!!". The main focus of the team right now is to 
clean up that mess so that new features can be implemented quickly, easily 
and without an ensuing torrent of bug reports.

> > The thing you seem to keep coming back to is why it hasn't already been
> > completed. You've been given the answer to that several times - lack of
> > time and higher priority issues. What I really would like to know is why
> > you are
>
> Things like FEATURES="candy"?

This combined with "emerge moo" was perhaps a max total of 2 hours work. Are 
you suggesting that we should not spend a trivial amount of our volunteer 
time adding something that is welcomed by many?

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list