Mailing List Archive: Out of air (was: Let's blow the whistle)

Out of air (was: Let's blow the whistle)

Nov 9, 2004, 6:21 PM

Post #1 of 14 (3672 views)

A day ago I wrote:

> At 2004-11-11 00:00:00 CET this article hits a rather
> popular public full-disclosure mailing list.

The problem with making predictions about by when you'll
have finished something is that you are always wrong. This
is no exception. So please don't be surprised if it won't be
_exactly_ midnight. :-)

I figured I'd better say it now to avoid receiving lots of
e-mails from people telling me that I wouldn't know what
time zone CET is.

Anyway, since there is apparently no more need to discuss
this problem with the "community" -- or at least not on this
mailing list --, I'd like to take the liberty of adding a
few short closing remarks concerning this whole issue.

By now I have stopped counting the number of people who have
called me a public stink, a troublemaker, and whatnot else.
To those who have, I'd like to suggest that you check out a
medieval concept called "hang the messenger". You are
misunderstanding something. Not the people who draw
attention to a vulnerability are causing trouble, the
_vulnerability_ is causing trouble. So instead of attacking
those who are concerned about the lack of authentication in
Gentoo's distribution process, you should, well, fix the
lack of authentication in Gentoo's distribution process. I
wouldn't have thought it was possible, but apparently some
people really need that spelled out for them.

Furthermore, several people have complained that I would be
too confrontational and that I should phrase my messages
more politely if I wanted something to happen about this.
Here is a nice analogy that IMHO puts that into perspective:
You are a car manufacturer and you receive a phone call from
someone who informs you that the breaks in your latest model
have a design flaw that may result in them failing, thus
potentially killing all passengers. And the person who
reports this is really, really rude. Does that mean you
shouldn't fix you breaks?

Oh, and if you think about blowing up on me now because I
implied that the Gentoo developers didn't care about
security: You should really work on your reading
comprehension.

The reason why I am being confrontational is that if I
hadn't been, NOTHING WOULD HAVE HAPPENED!

Oh, and if you think about blowing up on me know because
that would not be true ... then you might want to check the
date of the first time this problem was reported.

Last but not least I cannot help but notice a curious
asymmetry in the way security issues are handled by Gentoo.
It appears that the Gentoo developers are a lot more
forthcoming when it comes to pointing out and fixing
security vulnerabilities in upstream packages (a.k.a.
_other_ people's code) than they are when it comes to
admitting to and fixing problems in their own code.

Oh -- you knew this were coming, right? --, if you think
about blowing up on me know because I just implied that some
people on this mailing list have a MASSIVE ego problem ...
then go ahead. I did.

Having properly antagonized everyone, there remains nothing
left to say. So I'll let some other people speak the last
words. Really, this whole thread has been a diamond mine for
quotes to be readily used on all kinds of occasions. Here
are my personal favorites:

| I explicitly said that signing should be implemented! I
| only disagree with the statement that it is a strong
| security measure or that it's lack is a great danger to
| Gentoo users.

-- Marc Ballarin <Ballarin.Marc@gmx.de>
http://article.gmane.org/gmane.linux.gentoo.security/1727

| I wouldn't waste [my time] hypothesizing about a man in
| the middle attack. While MOTM attacks are theoretically
| possible on many many protocols, they are *not* a
| serious threat [...].

-- Brian G. Peterson <brian@braverock.com>
http://article.gmane.org/gmane.linux.gentoo.security/1771

Peter

--
gentoo-security@gentoo.org mailing list

Re: Out of air (was: Let's blow the whistle) [ In reply to ]

jstubbs at work-at

Nov 9, 2004, 6:50 PM

Post #2 of 14 (3618 views)

Permalink

On Wednesday 10 November 2004 10:21, Peter Simons wrote:
> The reason why I am being confrontational is that if I
> hadn't been, NOTHING WOULD HAVE HAPPENED!

To be honest, I think the whole thread has achieved nothing. It has definately
not prompted the beginning of a new initiative in signing the tree because
that was already underway. I very much doubt that it'll speed up the progress
made on that initiative, because the main limiting factor is time. No matter
what is said here, it's not going to make anybody go out and quit their jobs
in order to get tree signing implemented quicker.

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

Re: Out of air [ In reply to ]

glist at moonlight

Nov 9, 2004, 7:25 PM

Post #3 of 14 (3619 views)

Permalink

Peter Simons wrote:
> Furthermore, several people have complained that I would be
> too confrontational and that I should phrase my messages
> more politely if I wanted something to happen about this.
> Here is a nice analogy that IMHO puts that into perspective:
> You are a car manufacturer and you receive a phone call from
> someone who informs you that the breaks in your latest model
> have a design flaw that may result in them failing, thus
> potentially killing all passengers. And the person who
> reports this is really, really rude. Does that mean you
> shouldn't fix you breaks?

Still.. being polite would be at least fair.
Of course you realize that you didn't pay for Gentoo so I think
you should phrase you messages, respect the commitment and work
of the dev's. Even so you have a point on your messages.

Is not what you said is the way you say it

-- RNuno

--
gentoo-security@gentoo.org mailing list

Re: Out of air (was: Let's blow the whistle) [ In reply to ]

simons at cryp

Nov 9, 2004, 7:26 PM

Post #4 of 14 (3620 views)

Permalink

Jason Stubbs writes:

> To be honest, I think the whole thread has achieved
> nothing.

I beg to differ. It has achieved that everyone who's
interested can now see quite clearly how the priorities of
Gentoo Linux are. I am not really judging your priorities.
It's free software. You can do whatever you want.

But I, at least, find it useful to know that spending a
couple of hours implementing an insanely simple procedure
that would prevent the insignificant number of, say, 10
people having their machines compromised -- machines with
all their personal data, e-mails, love letters, income tax
declarations, health records, etc. -- is not a priority.

Peter

--
gentoo-security@gentoo.org mailing list

Re: Re: Out of air (was: Let's blow the whistle) [ In reply to ]

dpn at isomerica

Nov 9, 2004, 7:38 PM

Post #5 of 14 (3619 views)

Permalink

On Wed, Nov 10, 2004 at 03:26:19AM +0100, Peter Simons wrote:
> Jason Stubbs writes:
>
> > To be honest, I think the whole thread has achieved
> > nothing.
>
> I beg to differ. It has achieved that everyone who's
> interested can now see quite clearly how the priorities of
> Gentoo Linux are. I am not really judging your priorities.
> It's free software. You can do whatever you want.

To echo the concerns of others, you have the right idea but
the wrong attitude. Gentoo is a free software project,
composed of hobbyists. Unlike Red Hat or SuSE, Gentoo remains
a hobbyist distro. Nobody can put aside their job or life
to work fulltime on fixing these bugs, but your contributions
are important, provided they are ultimately useful.

I too think this thread has achieved nothing other than to
annoy users and developers. A solution was already in the works,
but brash attitudes and reaction to them stalemated any further
discussion.

The discussion was not in the spirit of "Open Source."

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/

Re: Out of air (was: Let's blow the whistle) [ In reply to ]

simons at cryp

Nov 9, 2004, 7:49 PM

Post #6 of 14 (3620 views)

Permalink

Dan,

you forgot to reply to this paragraph of my message:

> But I, at least, find it useful to know that spending a
> couple of hours implementing an insanely simple procedure
> that would prevent the insignificant number of, say, 10
> people having their machines compromised -- machines with
> all their personal data, e-mails, love letters, income tax
> declarations, health records, etc. -- is not a priority.

Peter

--
gentoo-security@gentoo.org mailing list

Re: Re: Out of air (was: Let's blow the whistle) [ In reply to ]

dpn at isomerica

Nov 9, 2004, 8:03 PM

Post #7 of 14 (3618 views)

Permalink

On Wed, Nov 10, 2004 at 03:49:54AM +0100, Peter Simons wrote:
> Dan,
>
> you forgot to reply to this paragraph of my message:
>
> > But I, at least, find it useful to know that spending a
> > couple of hours implementing an insanely simple procedure
> > that would prevent the insignificant number of, say, 10
> > people having their machines compromised -- machines with
> > all their personal data, e-mails, love letters, income tax
> > declarations, health records, etc. -- is not a priority.

I will reply, and I am sorry I forgot to reply before!

While I do not run business systems on it currently, I fully
trust my personal data with Gentoo. Furthermore, I am more
inclined to trust Gentoo dev's time and complexity estimates
than your own. I do hope this issue is resolved in a timely
manner, I don't feel your thread has contributed positively
towards an eventual resolution.

That is all.

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/

Re: Out of air [ In reply to ]

simons at cryp

Nov 9, 2004, 8:07 PM

Post #8 of 14 (3617 views)

Permalink

RNuno writes:

> Still.. being polite would be at least fair.

Fixing a vulnerability that threatens your user's machines
without me having to bitch and moan for _days_ would be
fair, too, and you don't do it either. So I think we are
even.

Peter

--
gentoo-security@gentoo.org mailing list

Re: Re: Out of air [ In reply to ]

anthony at ectrolinux

Nov 9, 2004, 8:10 PM

Post #9 of 14 (3626 views)

Permalink

On Tuesday 09 November 2004 7:07 pm, Peter Simons wrote:
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

This thread is degenerating into a heated debate to the likes of which I would
expect from elementary school children. We know what needs to be done, and it
will be done as soon as the developers are able; I agree with one of the
previous comments: feel free to implement the code instead of complaining.

Leave it at that.

--
Anthony Gorecki
Ectro-Linux Foundation

Re: Out of air (was: Let's blow the whistle) [ In reply to ]

simons at cryp

Nov 9, 2004, 8:15 PM

Post #10 of 14 (3617 views)

Permalink

Dan Noe writes:

> Furthermore, I am more inclined to trust Gentoo dev's
> time and complexity estimates than your own.

Within 1.5 years it would have been possible.
Trust me on that.

Peter

--
gentoo-security@gentoo.org mailing list

Re: Re: Out of air [ In reply to ]

genone at gentoo

Nov 9, 2004, 8:29 PM

Post #11 of 14 (3618 views)

Permalink

On 10 Nov 2004 04:07:37 +0100
Peter Simons <simons@cryp.to> wrote:

> RNuno writes:
>
> > Still.. being polite would be at least fair.
>
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

Did you purchase a support contract? Oh wait, we don't sell those
...</sarcasm>

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

Re: Re: Out of air (was: Let's blow the whistle) [ In reply to ]

lpintilie at montran

Nov 10, 2004, 2:24 AM

Post #12 of 14 (3620 views)

Permalink

Peter Simons wrote:

>Dan Noe writes:
>
> > Furthermore, I am more inclined to trust Gentoo dev's
> > time and complexity estimates than your own.
>
>Within 1.5 years it would have been possible.
>Trust me on that.
>
>Peter
>
>
>
Peter,

You keep talking about 1.5 years and a simple measure you know for
correcting the problem. That doesn't put you in a good position either:
*you* also had that time to do it, and still didn't do it. Then why are
you shouting to the "Gentoo team"? And don't tell me they prevented you
from solving the problem. As someone already said: you are part of the
comunity and you have the power to contribute. If you repeatedly tried
to submit code and nobody cared, then the reasonable way to end the
situation is to choose another distro that best addresses your goals.
Should that need to be accompanied by a post to a Gentoo mailing list,
the tone should be different. And polite, too.

Lucian Pintilie

--
gentoo-security@gentoo.org mailing list

Re: Re: Out of air (was: Let's blow the whistle) [ In reply to ]

npinkerton at gmail

Nov 10, 2004, 1:21 PM

Post #13 of 14 (3621 views)

Permalink

On Wed, 10 Nov 2004 11:24:19 +0200, Lucian Pintilie
<lpintilie@montran.ro> wrote:
> Peter,
>
> You keep talking about 1.5 years and a simple measure you know for
> correcting the problem. That doesn't put you in a good position either:
> *you* also had that time to do it, and still didn't do it. Then why are
> you shouting to the "Gentoo team"? And don't tell me they prevented you
> from solving the problem. As someone already said: you are part of the
> comunity and you have the power to contribute. If you repeatedly tried
> to submit code and nobody cared, then the reasonable way to end the
> situation is to choose another distro that best addresses your goals.
> Should that need to be accompanied by a post to a Gentoo mailing list,
> the tone should be different. And polite, too.
>
>
> Lucian Pintilie

amen brotha. preach on.

--
gentoo-security@gentoo.org mailing list