A day ago I wrote:
> At 2004-11-11 00:00:00 CET this article hits a rather
> popular public full-disclosure mailing list.
The problem with making predictions about by when you'll
have finished something is that you are always wrong. This
is no exception. So please don't be surprised if it won't be
_exactly_ midnight. :-)
I figured I'd better say it now to avoid receiving lots of
e-mails from people telling me that I wouldn't know what
time zone CET is.
Anyway, since there is apparently no more need to discuss
this problem with the "community" -- or at least not on this
mailing list --, I'd like to take the liberty of adding a
few short closing remarks concerning this whole issue.
By now I have stopped counting the number of people who have
called me a public stink, a troublemaker, and whatnot else.
To those who have, I'd like to suggest that you check out a
medieval concept called "hang the messenger". You are
misunderstanding something. Not the people who draw
attention to a vulnerability are causing trouble, the
_vulnerability_ is causing trouble. So instead of attacking
those who are concerned about the lack of authentication in
Gentoo's distribution process, you should, well, fix the
lack of authentication in Gentoo's distribution process. I
wouldn't have thought it was possible, but apparently some
people really need that spelled out for them.
Furthermore, several people have complained that I would be
too confrontational and that I should phrase my messages
more politely if I wanted something to happen about this.
Here is a nice analogy that IMHO puts that into perspective:
You are a car manufacturer and you receive a phone call from
someone who informs you that the breaks in your latest model
have a design flaw that may result in them failing, thus
potentially killing all passengers. And the person who
reports this is really, really rude. Does that mean you
shouldn't fix you breaks?
Oh, and if you think about blowing up on me now because I
implied that the Gentoo developers didn't care about
security: You should really work on your reading
comprehension.
The reason why I am being confrontational is that if I
hadn't been, NOTHING WOULD HAVE HAPPENED!
Oh, and if you think about blowing up on me know because
that would not be true ... then you might want to check the
date of the first time this problem was reported.
Last but not least I cannot help but notice a curious
asymmetry in the way security issues are handled by Gentoo.
It appears that the Gentoo developers are a lot more
forthcoming when it comes to pointing out and fixing
security vulnerabilities in upstream packages (a.k.a.
_other_ people's code) than they are when it comes to
admitting to and fixing problems in their own code.
Oh -- you knew this were coming, right? --, if you think
about blowing up on me know because I just implied that some
people on this mailing list have a MASSIVE ego problem ...
then go ahead. I did.
Having properly antagonized everyone, there remains nothing
left to say. So I'll let some other people speak the last
words. Really, this whole thread has been a diamond mine for
quotes to be readily used on all kinds of occasions. Here
are my personal favorites:
| I explicitly said that signing should be implemented! I
| only disagree with the statement that it is a strong
| security measure or that it's lack is a great danger to
| Gentoo users.
-- Marc Ballarin <Ballarin.Marc@gmx.de>
http://article.gmane.org/gmane.linux.gentoo.security/1727
| I wouldn't waste [my time] hypothesizing about a man in
| the middle attack. While MOTM attacks are theoretically
| possible on many many protocols, they are *not* a
| serious threat [...].
-- Brian G. Peterson <brian@braverock.com>
http://article.gmane.org/gmane.linux.gentoo.security/1771
Peter
--
gentoo-security@gentoo.org mailing list
> At 2004-11-11 00:00:00 CET this article hits a rather
> popular public full-disclosure mailing list.
The problem with making predictions about by when you'll
have finished something is that you are always wrong. This
is no exception. So please don't be surprised if it won't be
_exactly_ midnight. :-)
I figured I'd better say it now to avoid receiving lots of
e-mails from people telling me that I wouldn't know what
time zone CET is.
Anyway, since there is apparently no more need to discuss
this problem with the "community" -- or at least not on this
mailing list --, I'd like to take the liberty of adding a
few short closing remarks concerning this whole issue.
By now I have stopped counting the number of people who have
called me a public stink, a troublemaker, and whatnot else.
To those who have, I'd like to suggest that you check out a
medieval concept called "hang the messenger". You are
misunderstanding something. Not the people who draw
attention to a vulnerability are causing trouble, the
_vulnerability_ is causing trouble. So instead of attacking
those who are concerned about the lack of authentication in
Gentoo's distribution process, you should, well, fix the
lack of authentication in Gentoo's distribution process. I
wouldn't have thought it was possible, but apparently some
people really need that spelled out for them.
Furthermore, several people have complained that I would be
too confrontational and that I should phrase my messages
more politely if I wanted something to happen about this.
Here is a nice analogy that IMHO puts that into perspective:
You are a car manufacturer and you receive a phone call from
someone who informs you that the breaks in your latest model
have a design flaw that may result in them failing, thus
potentially killing all passengers. And the person who
reports this is really, really rude. Does that mean you
shouldn't fix you breaks?
Oh, and if you think about blowing up on me now because I
implied that the Gentoo developers didn't care about
security: You should really work on your reading
comprehension.
The reason why I am being confrontational is that if I
hadn't been, NOTHING WOULD HAVE HAPPENED!
Oh, and if you think about blowing up on me know because
that would not be true ... then you might want to check the
date of the first time this problem was reported.
Last but not least I cannot help but notice a curious
asymmetry in the way security issues are handled by Gentoo.
It appears that the Gentoo developers are a lot more
forthcoming when it comes to pointing out and fixing
security vulnerabilities in upstream packages (a.k.a.
_other_ people's code) than they are when it comes to
admitting to and fixing problems in their own code.
Oh -- you knew this were coming, right? --, if you think
about blowing up on me know because I just implied that some
people on this mailing list have a MASSIVE ego problem ...
then go ahead. I did.
Having properly antagonized everyone, there remains nothing
left to say. So I'll let some other people speak the last
words. Really, this whole thread has been a diamond mine for
quotes to be readily used on all kinds of occasions. Here
are my personal favorites:
| I explicitly said that signing should be implemented! I
| only disagree with the statement that it is a strong
| security measure or that it's lack is a great danger to
| Gentoo users.
-- Marc Ballarin <Ballarin.Marc@gmx.de>
http://article.gmane.org/gmane.linux.gentoo.security/1727
| I wouldn't waste [my time] hypothesizing about a man in
| the middle attack. While MOTM attacks are theoretically
| possible on many many protocols, they are *not* a
| serious threat [...].
-- Brian G. Peterson <brian@braverock.com>
http://article.gmane.org/gmane.linux.gentoo.security/1771
Peter
--
gentoo-security@gentoo.org mailing list