Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
The solution and hopefully the end.
klieber at gentoo
Nov 10, 2004, 6:52 AM
Post #1 of 18 (4543 views)
Permalink
On Tue, Nov 09, 2004 at 08:53:21PM -0800 or thereabouts, Chris Haumesser wrote:
> Devs, what have you to lose by helping us do this? I don't think I
> understand the resistance, outside of the emotional reaction triggered
> by this thread's initiator.

The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here. I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.

This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do. I
think it's safe to say that all of the other developers share that same
motivation. If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.

You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction. Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless. That's fine -- I don't begrudge them because I do what I do
because I enjoy it. So, when taking a stand on what you feel to be an
important issue, keep this in mind: It does not matter if you are morally
right. It does not matter if the issue is serious. If you take the fun
out of developing this distro, Gentoo will die, period.

Anyway, enough preaching. This thread has gone on long enough. The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync. (/snapshots directory on your
favorite source mirror)

This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure. emerge-webrsync will be hacked up to provide verification
support for it. I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution. It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.

--kurt

P.S. I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred. If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...
Re: The solution and hopefully the end. [ In reply to ]
anthony.metcalf at anferny
Nov 10, 2004, 7:00 AM
Post #2 of 18 (4475 views)
Permalink
On Wed, 10 Nov 2004 13:52:02 +0000
Kurt Lieber <klieber@gentoo.org> wrote:

> The original fix suggested won't work for a number of reasons that I'm >not
> going to bother to re-hash here.

re-hash...made me laugh.

>The solution that's been agreeed upon is signing the daily snapshots >that we
> provide for users who can't use rsync. (/snapshots directory on your
> favorite source mirror)
>
> robust verification solution in portage itself.

That's so simple it hurts. :)

Thanks Kurt.
Re: The solution and hopefully the end. [ In reply to ]
cdfrey at netdirect
Nov 10, 2004, 7:24 AM
Post #3 of 18 (4486 views)
Permalink
On Wed, Nov 10, 2004 at 01:52:02PM +0000, Kurt Lieber wrote:
> The original fix suggested won't work for a number of reasons that I'm not
> going to bother to re-hash here. I did suggest an alternate solution that
> I think is going to work and Peter has agreed to write the code to
> implement it.
[snip]
> This thread has gone on long enough. The
> solution that's been agreeed upon is signing the daily snapshots that we
> provide for users who can't use rsync. (/snapshots directory on your
> favorite source mirror)

Fantastic idea! If you need help writing or testing this script, you guys
know where to find me. :-) I'm not a python guru, but the main script
shouldn't need much more than bash.

Thanks,
- Chris


--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
gary at linuxforce
Nov 10, 2004, 11:15 AM
Post #4 of 18 (4479 views)
Permalink
On Wed, 10 Nov 2004, Kurt Lieber wrote:
> This entire thread has been very demotivating to me as a Gentoo developer.
> Please keep in mind that I donate my time because I enjoy what I do. I
> think it's safe to say that all of the other developers share that same
> motivation. If you take the enjoyment out of developing Gentoo, it's going
> to die off rather quickly.

I just want to say that I *really* appreciate every minute that the Gentoo
developers spend on Gentoo, especially the Gentoo SPARC team. You guys
deserve much more credit than you are given. I, for one, will be tipping
a glass of fine beer tonight in your honor. :-)

To Kurt and everyone else - THANK YOU.



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
ixion at cfl
Nov 10, 2004, 12:02 PM
Post #5 of 18 (4486 views)
Permalink
Agreed!!! You Gentoo Developers are terrific! Never before has a distro
matched Gentoo.. the community has been so wonderful.. I am now running
(between work and home) almost a dozen Gentoo boxes, and love it.

Keep up the good work, Developers. Don't let one bad apple ruin it for you
(there's bound to be more of them as Gentoo gets more popular,
unfortunately). Just remember all the positive notes you get from users...

And a note to the users: let's let the developers know how much we
appareciate them a bit more often.. ;)

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>> This entire thread has been very demotivating to me as a Gentoo
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do. I
>> think it's safe to say that all of the other developers share that same
>> motivation. If you take the enjoyment out of developing Gentoo, it's
>> going
>> to die off rather quickly.
>
> I just want to say that I *really* appreciate every minute that the Gentoo
> developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> deserve much more credit than you are given. I, for one, will be tipping
> a glass of fine beer tonight in your honor. :-)
>
> To Kurt and everyone else - THANK YOU.
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
mgruenb at gmx
Nov 10, 2004, 12:20 PM
Post #6 of 18 (4481 views)
Permalink
Couldn't agree more! You developers are doing a great job! Please keep
up the great work!

In order to show how much I appreciate your work, I just bought some
stuff from the Gentoo store. I would like to encourage everyone who
enjoys Gentoo as much as I do to do the same!

Please help to keep Kurt and the other developers motivated!

Cheers,

Michael.


On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
>
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
>
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
sequel at neofreak
Nov 10, 2004, 12:26 PM
Post #7 of 18 (4485 views)
Permalink
There has been a lot of negative mail in this thread so another positive
may be welcome!

I would like to let know all the gentoo devs. reading this thread that i
highly appreciate the great works you have done for us, the community,
in the past and that you'll continue to deliver.

I've been using Linux (in fact several distro.) for about ten years now
and Gentoo is by far the one that fills up all my need (even security!).

Thanks to all gentoo devs. for all the time they gave to the community!

On Wed, 2004-11-10 at 14:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
>
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
>
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)
>
> >
> > On Wed, 10 Nov 2004, Kurt Lieber wrote:
> >> This entire thread has been very demotivating to me as a Gentoo
> >> developer.
> >> Please keep in mind that I donate my time because I enjoy what I do. I
> >> think it's safe to say that all of the other developers share that same
> >> motivation. If you take the enjoyment out of developing Gentoo, it's
> >> going
> >> to die off rather quickly.
> >
> > I just want to say that I *really* appreciate every minute that the Gentoo
> > developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> > deserve much more credit than you are given. I, for one, will be tipping
> > a glass of fine beer tonight in your honor. :-)
> >
> > To Kurt and everyone else - THANK YOU.
> >
> >
> >
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>


--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
ixion at cfl
Nov 10, 2004, 12:57 PM
Post #8 of 18 (4484 views)
Permalink
Oh cool. I didn't realize buying Gentoo t-shirts and things helped the
developers so much. I will most definitely be purchasing some merchandise,
then!

Btw, I forgot to add that I'm a security nut (often referred to as a
'pedantic' security nut;) ), and Gentoo is the ONLY distro that I've found
to suffice my security needs and it is QUITE easy to implement them
compared to other distros.. :)

> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>> matched Gentoo.. the community has been so wonderful.. I am now running
>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>
>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>> you
>> (there's bound to be more of them as Gentoo gets more popular,
>> unfortunately). Just remember all the positive notes you get from
>> users...
>>
>> And a note to the users: let's let the developers know how much we
>> appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
gcombe at co
Nov 10, 2004, 2:22 PM
Post #9 of 18 (4478 views)
Permalink
that is a great idea.... I think I will follow suit and buy a thing or two
of gentoo... As well, I enjoy gentoo and the base principles. choice....
it all about choice. That is why gentoo works for me.

Thanks to devs who have put in the time and hard work.

cheers.
----- Original Message -----
From: "Michael Gruenberger" <mgruenb@gmx.net>
To: <gentoo-security@lists.gentoo.org>
Sent: Wednesday, November 10, 2004 12:20 PM
Subject: Re: [gentoo-security] The solution and hopefully the end.


> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> > Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> > matched Gentoo.. the community has been so wonderful.. I am now running
> > (between work and home) almost a dozen Gentoo boxes, and love it.
> >
> > Keep up the good work, Developers. Don't let one bad apple ruin it for
you
> > (there's bound to be more of them as Gentoo gets more popular,
> > unfortunately). Just remember all the positive notes you get from
users...
> >
> > And a note to the users: let's let the developers know how much we
> > appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
william.barnett at cchmc
Nov 10, 2004, 2:57 PM
Post #10 of 18 (4485 views)
Permalink
At the risk of being repetitive...

Ditto! (Oh and I just bought some Gentoo gear of my own. I guess I had
better visit OpenBSD.org while I'm at it!!!)

Really, "Thanks!" to all contributors,

Bill - repentant leech
(Unrepentant list lurker)

On or about 11/10/04, many folks wrote:

> Thanks to devs who have put in the time and hard work.
>
> cheers.

>> Couldn't agree more! You developers are doing a great job! Please keep
>> up the great work!

>>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>>> matched Gentoo.. the community has been so wonderful.. I am now running
>>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>>
>>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>>> you



--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
lists at halffull
Nov 10, 2004, 3:17 PM
Post #11 of 18 (4491 views)
Permalink
On Wed, Nov 10, 2004 at 11:15:11AM -0700, Gary Nichols wrote:
> I just want to say that I *really* appreciate every minute that the Gentoo
> developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> deserve much more credit than you are given. I, for one, will be tipping
> a glass of fine beer tonight in your honor. :-)

Gentoo is the only distribution/OS that's held my interest and satisfied my computing
needs, and it's all thanks to the devs. I try to do my part when I can to repay the
community, but without our wonderful devs we wouldn't be here. Thanks to all of you.
(And don't let the idiots get you down. Most of us really do appreciate you.)
Tom
Re: Re: The solution and hopefully the end. [ In reply to ]
tradergt at smelser
Nov 10, 2004, 3:20 PM
Post #12 of 18 (4480 views)
Permalink
On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:

> Gentoo is the only distribution/OS that's held my interest and satisfied my
> computing needs, and it's all thanks to the devs. I try to do my part when
> I can to repay the community, but without our wonderful devs we wouldn't be
> here. Thanks to all of you. (And don't let the idiots get you down. Most
> of us really do appreciate you.) Tom

Who is an idiot by the way? I am curious who your directing this comment to.

Jeff
Re: Re: The solution and hopefully the end. [ In reply to ]
dcocos at gmail
Nov 10, 2004, 3:26 PM
Post #13 of 18 (4473 views)
Permalink
On Wed, 10 Nov 2004 16:20:35 -0600, Jeff Smelser <tradergt@smelser.org> wrote:
> On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:
>
> > Gentoo is the only distribution/OS that's held my interest and satisfied my
> > computing needs, and it's all thanks to the devs. I try to do my part when
> > I can to repay the community, but without our wonderful devs we wouldn't be
> > here. Thanks to all of you. (And don't let the idiots get you down. Most
> > of us really do appreciate you.) Tom
>
> Who is an idiot by the way? I am curious who your directing this comment to.
>
> Jeff
>

The idiots are the people who will not let this thread die.

--
gentoo-security@gentoo.org mailing list
Re: Re: The solution and hopefully the end. [ In reply to ]
lists at halffull
Nov 10, 2004, 4:42 PM
Post #14 of 18 (4490 views)
Permalink
On Wed, Nov 10, 2004 at 04:20:35PM -0600, Jeff Smelser wrote:
> Who is an idiot by the way? I am curious who your directing this comment to.

I'm sure the devs have occasionally been frustrated by people's actions or comments.
They're doing this for fun, and sometimes users don't understand that. I try not to show
my hard-headed side here, even when images of 'rtfm' flash through my mind... one of the
best parts of Gentoo is the helpful community.
We all have our people that get to us - though I bet ciaranm's list is longer than most :)
Tom
Re: The solution and hopefully the end. [ In reply to ]
computer at jacox
Nov 10, 2004, 6:16 PM
Post #15 of 18 (4482 views)
Permalink
Gary Nichols wrote:

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>
>> This entire thread has been very demotivating to me as a Gentoo
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do. I
>> think it's safe to say that all of the other developers share that same
>> motivation.
>
>
> I just want to say that I *really* appreciate every minute that the
> Gentoo developers spend on Gentoo, especially the Gentoo SPARC team.
> You guys deserve much more credit than you are given. I, for one,
> will be tipping a glass of fine beer tonight in your honor. :-)


Hear, hear. As a (heretofore silent) Gentoo user for about two years, I
feel certain the vast majority of us feel the way that Gary Nichols does
and greatly appreciate the work you do.

--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
jstubbs at work-at
Nov 10, 2004, 6:19 PM
Post #16 of 18 (4486 views)
Permalink
On Wednesday 10 November 2004 22:52, Kurt Lieber wrote:
> emerge-webrsync will be hacked up to provide verification support for it. I
> don't have any commitments from the portage devs that these changes will be
> included (emerge-webrsync is part of portage) so this may end up being an
> unsupported, use-at-your-own-risk solution.

emerge-webrsync is on it's way out to be integrated with portage - already in
CVS actually - but the checking of a manifest can be integrated just as
easily providing the "standard" PORTAGE_GPG_DIR et al configuration is used.
Consider this "official" commitment. :)

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
simons at cryp
Nov 10, 2004, 10:45 PM
Post #17 of 18 (4472 views)
Permalink
Kurt Lieber writes:

> The original fix suggested won't work for a number of
> reasons that I'm not going to bother to re-hash here.

I'd like to fill that little blank in.

The reason why 99.9% of the Gentoo users can't authenticate
any of the software they use is that some high-profile
Gentoo system administrator is too dumb to realize that ...

(1) you don't need to generate hashes for any of the files
that are covered by the manifests, because -- surprise
-- the manifests do contain their hashes already.

(2) you don't need to regenerate a hash when the file
hasn't changed since the last time you generated one.

(3) adding a single command to CVSROOT/commitinfo would
generate a hash for every file the moment a change was
committed so that there was absolutely no timing
problem and almost no increase in load on the server.


> Quite frankly, a lot of the users out there are leeches
> who don't provide anything back to the Gentoo community,
> but consume our software nonetheless.

Since this comment is obviously directed at me, I suggest
you grep your unauthenticated Portage database for my name,
dumb-ass. Quite frankly, not everybody is as hung up on what
he all does for Gentoo and mentions it at every second
opportunity.


> P.S. I do not want anyone to think that this solution is
> being implemented because of the bitching and screaming
> that occurred.

No. It is implemented because I did it.


I apologize for flaming on the list, but after being lied
to, being called an asshole, being called a jackass, being
called a public stink, being told to fuck off, and all that
because I dare request that someone simply stops standing in
the way when others are trying to increase the security of
Gentoo's users -- and that on the SECURITY mailing list, for
crying out loud --, I really don't feel there is any need to
be polite anymore.

And please don't misunderstand me. There are people who
deserved it a LOT more to be flamed than Kurt. Definitely.
But some of those guys are *so* dumb that it's really not
worth it.

And now I'll do what some real tough security experts here
wanted all along. I'll cease posting.

Until next time.

Peter


--
gentoo-security@gentoo.org mailing list
Re: The solution and hopefully the end. [ In reply to ]
pauldv at gentoo
Nov 11, 2004, 3:56 AM
Post #18 of 18 (4484 views)
Permalink
On Wednesday 10 November 2004 14:52, Kurt Lieber wrote:
> Anyway, enough preaching. This thread has gone on long enough. The
> solution that's been agreeed upon is signing the daily snapshots that
> we provide for users who can't use rsync. (/snapshots directory on
> your favorite source mirror)

All right, repeating it is not usefull.

>
> This provides the ability to verify the integrity of every single file
> under /usr/portage/ and requires very little changes to our existing
> infrastructure. emerge-webrsync will be hacked up to provide
> verification support for it. I don't have any commitments from the
> portage devs that these changes will be included (emerge-webrsync is
> part of portage) so this may end up being an unsupported,
> use-at-your-own-risk solution. It does not take away from or alter the
> plans to implement a much better, more robust verification solution in
> portage itself.

Well, finally some useable solution. I'm fairly confident that the portage
devs will support it. I think it can be an acceptable measure until the
final measures are finalized.

Paul

> P.S. I do not want anyone to think that this solution is being
> implemented because of the bitching and screaming that occurred. If
> someone had posted a message to the list before all this broke out
> suggesting this solution and volunteering to write the code for it, it
> would be in place by now. That's another way of saying that we didn't
> have to go through all this unpleasantness...

ps. I'm fairly confident that all the bashing has in general been
counterproductive. I certainly have still about 100 mails on the mailing
list laying about, which I don't intend to read. I don't care much about
flamewars, and might certainly have missed productive suggestions.

At least now there is a good temporary measure, and we can now focus on
how the keychain maintenance can be handled (for the final solution)

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal