Mailing List Archive

Gentoo's security
Hi again,

I couldn't resist and have read some messages, and I belive some people
are missing the point.

It's really easy:

There are many kinds of funny security things in a Linux/Unix
environment to protect the user from software failures (like typos rm ./
-> rm /) or attackers. People normally don't use the root account, are
building chroots for specific programs, some programs are getting
special rights or user accounts, or even stuff like selinux and grsecurity.
Portage/emerge also does some things, there are the digests which
ensures that the software fetched is not changed (again either by error
or an attacker) and there is the sandbox to ensure the
installation-scripts from the packages don't delete or overwrite files
they shouldn't (again either by error or an attacker).

But then there are the ebuilds and the eclasses. This are scripts often
changed and fetched unchecked from the internet.

And those are normally run as root.

And this normally happens on a daily or weekly basis.

So you have on the one side carefully crafted environments to protect
the system/user from software-failures or attackers, but on the other
side there is portage which is run regulary and is fetching scripts from
the internet which are run unchecked by root.

I think this explains why I doesn't understand that nobody cares about that.

Kind regards,

Alexander Holler

--
gentoo-security@gentoo.org mailing list
Re: Gentoo's security [ In reply to ]
On Monday 08 November 2004 11:02, Alexander Holler wrote:
> So you have on the one side carefully crafted environments to protect
> the system/user from software-failures or attackers, but on the other
> side there is portage which is run regulary and is fetching scripts from
> the internet which are run unchecked by root.
>
> I think this explains why I doesn't understand that nobody cares about
> that.

It really seems to me like you are trolling. The first email you sent was done
so after getting frustrated with Mike Frysinger's (vapier) closing of the
"versioned eclasses" bug. Yet, what you are talking about here is absolutely
nothing to do with that. You made most of the same statements on the bug, but
they were off-topic in that bug's context as well. Furthermore, there is
already another bug open for that off-topicness.

So, let me give you an account of where I see things are at:
* SHA1 support is in portage but can't be enabled yet due to compatibility
issues. That is, enabling it will prevent user's running <portage-2.0.51
from being able to upgrade.
* Ebuild signing support is in portage and is starting to be adopted.
Presently, there is a push for developer education.
* CVS portage now runs most ebuild phases as the portage user rather than
root and work is being done to support the last few as well.
* Eclass, package and profile signing are all currently being worked on (and
had begun before you started trolling)

The thing you seem to keep coming back to is why it hasn't already been
completed. You've been given the answer to that several times - lack of time
and higher priority issues. What I really would like to know is why you are
trying to tie up so much more of the time of the people that you would have
implement support for these critical features with these pointless emails?

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list
Re: Trolling (was: Gentoo's security) [ In reply to ]
Jason Stubbs wrote:
> On Monday 08 November 2004 11:02, Alexander Holler wrote:
...
> It really seems to me like you are trolling. The first email you sent was done
> so after getting frustrated with Mike Frysinger's (vapier) closing of the
> "versioned eclasses" bug. Yet, what you are talking about here is absolutely
> nothing to do with that. You made most of the same statements on the bug, but
> they were off-topic in that bug's context as well. Furthermore, there is
> already another bug open for that off-topicness.

Yes I'm trolling and I doesn't take care about opening and writing tons
of bugs if they got ignored or closed as worksforme/wontfix. I've
written enough bugs and somewhere came to the point that written bugs is
a useless spend of time.

In the bug I mentioned in my second post, I explain that the trojan for
ebuilds is also usable on eclasses (which I've missed because they where
relativly new and I've never used them). Ok, unrelated according to you.

And the second post, I also have reminder on the first post, where the
first bug is mentioned where I explain how a list with hashes would
help. Ok, very complicated and unrelated too.

> So, let me give you an account of where I see things are at:
> * SHA1 support is in portage but can't be enabled yet due to compatibility
> issues. That is, enabling it will prevent user's running <portage-2.0.51
> from being able to upgrade.

I still don't understand why just building a list with hashes (maybe
signed) takes over 2 years.

> * Ebuild signing support is in portage and is starting to be adopted.
> Presently, there is a push for developer education.
> * CVS portage now runs most ebuild phases as the portage user rather than
> root and work is being done to support the last few as well.
> * Eclass, package and profile signing are all currently being worked on (and
> had begun before you started trolling)

You don't have to repeat that "trolling'. I think everyone has
understood where gentoo is going too. emerge moo!

> The thing you seem to keep coming back to is why it hasn't already been
> completed. You've been given the answer to that several times - lack of time
> and higher priority issues. What I really would like to know is why you are

Things like FEATURES="candy"?

> trying to tie up so much more of the time of the people that you would have
> implement support for these critical features with these pointless emails?

Yes I'm totally pointless. It is unbelievable, but I'm too thinking that
eclasses are totally breaking the ebuild-versioning scheme. I'm so
pointless, I can't explain why.

Sorry, but as a troll I am, I'm now really leaving this list alone. I
have to troll.

Trolling,

Alexander

--
gentoo-security@gentoo.org mailing list
Re: Re: Trolling (was: Gentoo's security) [ In reply to ]
On Monday 08 November 2004 13:15, Alexander Holler wrote:
> In the bug I mentioned in my second post, I explain that the trojan for
> ebuilds is also usable on eclasses (which I've missed because they where
> relativly new and I've never used them). Ok, unrelated according to you.

This is unrelated to versioning of eclasses. There is another bug open for
signing of eclasses.

> And the second post, I also have reminder on the first post, where the
> first bug is mentioned where I explain how a list with hashes would
> help. Ok, very complicated and unrelated too.

Nobody denied that they wouldn't help. Scaring people definately does not help
though.

> > So, let me give you an account of where I see things are at:
> > * SHA1 support is in portage but can't be enabled yet due to
> > compatibility issues. That is, enabling it will prevent user's running
> > <portage-2.0.51 from being able to upgrade.
>
> I still don't understand why just building a list with hashes (maybe
> signed) takes over 2 years.

I came on board with the portage team 12 months ago. One dev left and there is
one new dev since then, which makes five. All of us are busy with non-Gentoo
work, especially over the last several months. I'd estimate a total of 40-50
man-hours put into portage each week.

Those 40-50 hours mostly go toward bug fixing as portage the code is a mess.
It's become a mess because of the push to get this, that and the other
feature in as quickly as possible. To give you a visible example, take the
recent GPG signing support. Search bugs.g.o for gpg signing and have a look
how many there are. How about glsa-check?

Most features in portage are implemented in a very hackish way because people
are always screaming "NOW!!!". The main focus of the team right now is to
clean up that mess so that new features can be implemented quickly, easily
and without an ensuing torrent of bug reports.

> > The thing you seem to keep coming back to is why it hasn't already been
> > completed. You've been given the answer to that several times - lack of
> > time and higher priority issues. What I really would like to know is why
> > you are
>
> Things like FEATURES="candy"?

This combined with "emerge moo" was perhaps a max total of 2 hours work. Are
you suggesting that we should not spend a trivial amount of our volunteer
time adding something that is welcomed by many?

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list