Mailing List Archive: Gentoo: Security

Out of air (was: Let's blow the whistle)

Index | Next | Previous | View Threaded

simons at cryp

Nov 9, 2004, 6:21 PM

Post #1 of 14 (1007 views)
Permalink

Out of air (was: Let's blow the whistle)

A day ago I wrote:

> At 2004-11-11 00:00:00 CET this article hits a rather
> popular public full-disclosure mailing list.

The problem with making predictions about by when you'll
have finished something is that you are always wrong. This
is no exception. So please don't be surprised if it won't be
_exactly_ midnight. :-)

I figured I'd better say it now to avoid receiving lots of
e-mails from people telling me that I wouldn't know what
time zone CET is.

Anyway, since there is apparently no more need to discuss
this problem with the "community" -- or at least not on this
mailing list --, I'd like to take the liberty of adding a
few short closing remarks concerning this whole issue.

By now I have stopped counting the number of people who have
called me a public stink, a troublemaker, and whatnot else.
To those who have, I'd like to suggest that you check out a
medieval concept called "hang the messenger". You are
misunderstanding something. Not the people who draw
attention to a vulnerability are causing trouble, the
_vulnerability_ is causing trouble. So instead of attacking
those who are concerned about the lack of authentication in
Gentoo's distribution process, you should, well, fix the
lack of authentication in Gentoo's distribution process. I
wouldn't have thought it was possible, but apparently some
people really need that spelled out for them.

Furthermore, several people have complained that I would be
too confrontational and that I should phrase my messages
more politely if I wanted something to happen about this.
Here is a nice analogy that IMHO puts that into perspective:
You are a car manufacturer and you receive a phone call from
someone who informs you that the breaks in your latest model
have a design flaw that may result in them failing, thus
potentially killing all passengers. And the person who
reports this is really, really rude. Does that mean you
shouldn't fix you breaks?

Oh, and if you think about blowing up on me now because I
implied that the Gentoo developers didn't care about
security: You should really work on your reading
comprehension.

The reason why I am being confrontational is that if I
hadn't been, NOTHING WOULD HAVE HAPPENED!

Oh, and if you think about blowing up on me know because
that would not be true ... then you might want to check the
date of the first time this problem was reported.

Last but not least I cannot help but notice a curious
asymmetry in the way security issues are handled by Gentoo.
It appears that the Gentoo developers are a lot more
forthcoming when it comes to pointing out and fixing
security vulnerabilities in upstream packages (a.k.a.
_other_ people's code) than they are when it comes to
admitting to and fixing problems in their own code.

Oh -- you knew this were coming, right? --, if you think
about blowing up on me know because I just implied that some
people on this mailing list have a MASSIVE ego problem ...
then go ahead. I did.

Having properly antagonized everyone, there remains nothing
left to say. So I'll let some other people speak the last
words. Really, this whole thread has been a diamond mine for
quotes to be readily used on all kinds of occasions. Here
are my personal favorites:

| I explicitly said that signing should be implemented! I
| only disagree with the statement that it is a strong
| security measure or that it's lack is a great danger to
| Gentoo users.

-- Marc Ballarin <Ballarin.Marc [at] gmx>
http://article.gmane.org/gmane.linux.gentoo.security/1727

| I wouldn't waste [my time] hypothesizing about a man in
| the middle attack. While MOTM attacks are theoretically
| possible on many many protocols, they are *not* a
| serious threat [...].

-- Brian G. Peterson <brian [at] braverock>
http://article.gmane.org/gmane.linux.gentoo.security/1771

Peter

--
gentoo-security [at] gentoo mailing list

jstubbs at work-at

Nov 9, 2004, 6:50 PM

Post #2 of 14 (979 views)
Permalink

Re: Out of air (was: Let's blow the whistle) [In reply to]

On Wednesday 10 November 2004 10:21, Peter Simons wrote:
> The reason why I am being confrontational is that if I
> hadn't been, NOTHING WOULD HAVE HAPPENED!

To be honest, I think the whole thread has achieved nothing. It has definately
not prompted the beginning of a new initiative in signing the tree because
that was already underway. I very much doubt that it'll speed up the progress
made on that initiative, because the main limiting factor is time. No matter
what is said here, it's not going to make anybody go out and quit their jobs
in order to get tree signing implemented quicker.

Regards,
Jason Stubbs

--
gentoo-security [at] gentoo mailing list

glist at moonlight

Nov 9, 2004, 7:25 PM

Post #3 of 14 (981 views)
Permalink

Re: Out of air [In reply to]

Peter Simons wrote:
> Furthermore, several people have complained that I would be
> too confrontational and that I should phrase my messages
> more politely if I wanted something to happen about this.
> Here is a nice analogy that IMHO puts that into perspective:
> You are a car manufacturer and you receive a phone call from
> someone who informs you that the breaks in your latest model
> have a design flaw that may result in them failing, thus
> potentially killing all passengers. And the person who
> reports this is really, really rude. Does that mean you
> shouldn't fix you breaks?

Still.. being polite would be at least fair.
Of course you realize that you didn't pay for Gentoo so I think
you should phrase you messages, respect the commitment and work
of the dev's. Even so you have a point on your messages.

Is not what you said is the way you say it

-- RNuno

--
gentoo-security [at] gentoo mailing list

simons at cryp

Nov 9, 2004, 7:26 PM

Post #4 of 14 (980 views)
Permalink

Re: Out of air (was: Let's blow the whistle) [In reply to]

Jason Stubbs writes:

> To be honest, I think the whole thread has achieved
> nothing.

I beg to differ. It has achieved that everyone who's
interested can now see quite clearly how the priorities of
Gentoo Linux are. I am not really judging your priorities.
It's free software. You can do whatever you want.

But I, at least, find it useful to know that spending a
couple of hours implementing an insanely simple procedure
that would prevent the insignificant number of, say, 10
people having their machines compromised -- machines with
all their personal data, e-mails, love letters, income tax
declarations, health records, etc. -- is not a priority.

Peter

--
gentoo-security [at] gentoo mailing list

dpn at isomerica

Nov 9, 2004, 7:38 PM

Post #5 of 14 (980 views)
Permalink

Re: Re: Out of air (was: Let's blow the whistle) [In reply to]

On Wed, Nov 10, 2004 at 03:26:19AM +0100, Peter Simons wrote:
> Jason Stubbs writes:
>
> > To be honest, I think the whole thread has achieved
> > nothing.
>
> I beg to differ. It has achieved that everyone who's
> interested can now see quite clearly how the priorities of
> Gentoo Linux are. I am not really judging your priorities.
> It's free software. You can do whatever you want.

To echo the concerns of others, you have the right idea but
the wrong attitude. Gentoo is a free software project,
composed of hobbyists. Unlike Red Hat or SuSE, Gentoo remains
a hobbyist distro. Nobody can put aside their job or life
to work fulltime on fixing these bugs, but your contributions
are important, provided they are ultimately useful.

I too think this thread has achieved nothing other than to
annoy users and developers. A solution was already in the works,
but brash attitudes and reaction to them stalemated any further
discussion.

The discussion was not in the spirit of "Open Source."

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/

simons at cryp

Nov 9, 2004, 7:49 PM

Post #6 of 14 (980 views)
Permalink

Re: Out of air (was: Let's blow the whistle) [In reply to]

Dan,

you forgot to reply to this paragraph of my message:

> But I, at least, find it useful to know that spending a
> couple of hours implementing an insanely simple procedure
> that would prevent the insignificant number of, say, 10
> people having their machines compromised -- machines with
> all their personal data, e-mails, love letters, income tax
> declarations, health records, etc. -- is not a priority.

Peter

--
gentoo-security [at] gentoo mailing list

dpn at isomerica

Nov 9, 2004, 8:03 PM

Post #7 of 14 (979 views)
Permalink

Re: Re: Out of air (was: Let's blow the whistle) [In reply to]

On Wed, Nov 10, 2004 at 03:49:54AM +0100, Peter Simons wrote:
> Dan,
>
> you forgot to reply to this paragraph of my message:
>
> > But I, at least, find it useful to know that spending a
> > couple of hours implementing an insanely simple procedure
> > that would prevent the insignificant number of, say, 10
> > people having their machines compromised -- machines with
> > all their personal data, e-mails, love letters, income tax
> > declarations, health records, etc. -- is not a priority.

I will reply, and I am sorry I forgot to reply before!

While I do not run business systems on it currently, I fully
trust my personal data with Gentoo. Furthermore, I am more
inclined to trust Gentoo dev's time and complexity estimates
than your own. I do hope this issue is resolved in a timely
manner, I don't feel your thread has contributed positively
towards an eventual resolution.

That is all.

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/

simons at cryp

Nov 9, 2004, 8:07 PM

Post #8 of 14 (979 views)
Permalink

Re: Out of air [In reply to]

RNuno writes:

> Still.. being polite would be at least fair.

Fixing a vulnerability that threatens your user's machines
without me having to bitch and moan for _days_ would be
fair, too, and you don't do it either. So I think we are
even.

Peter

--
gentoo-security [at] gentoo mailing list

anthony at ectrolinux

Nov 9, 2004, 8:10 PM

Post #9 of 14 (983 views)
Permalink

Re: Re: Out of air [In reply to]

On Tuesday 09 November 2004 7:07 pm, Peter Simons wrote:
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

This thread is degenerating into a heated debate to the likes of which I would
expect from elementary school children. We know what needs to be done, and it
will be done as soon as the developers are able; I agree with one of the
previous comments: feel free to implement the code instead of complaining.

Leave it at that.

--
Anthony Gorecki
Ectro-Linux Foundation

simons at cryp

Nov 9, 2004, 8:15 PM

Post #10 of 14 (979 views)
Permalink

Re: Out of air (was: Let's blow the whistle) [In reply to]

Dan Noe writes:

> Furthermore, I am more inclined to trust Gentoo dev's
> time and complexity estimates than your own.

Within 1.5 years it would have been possible.
Trust me on that.

Peter

--
gentoo-security [at] gentoo mailing list

genone at gentoo

Nov 9, 2004, 8:29 PM

Post #11 of 14 (979 views)
Permalink

Re: Re: Out of air [In reply to]

On 10 Nov 2004 04:07:37 +0100
Peter Simons <simons [at] cryp> wrote:

> RNuno writes:
>
> > Still.. being polite would be at least fair.
>
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

Did you purchase a support contract? Oh wait, we don't sell those
...</sarcasm>

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

lpintilie at montran

Nov 10, 2004, 2:24 AM

Post #12 of 14 (979 views)
Permalink

Re: Re: Out of air (was: Let's blow the whistle) [In reply to]

Peter Simons wrote:

>Dan Noe writes:
>
> > Furthermore, I am more inclined to trust Gentoo dev's
> > time and complexity estimates than your own.
>
>Within 1.5 years it would have been possible.
>Trust me on that.
>
>Peter
>
>
>
Peter,

You keep talking about 1.5 years and a simple measure you know for
correcting the problem. That doesn't put you in a good position either:
*you* also had that time to do it, and still didn't do it. Then why are
you shouting to the "Gentoo team"? And don't tell me they prevented you
from solving the problem. As someone already said: you are part of the
comunity and you have the power to contribute. If you repeatedly tried
to submit code and nobody cared, then the reasonable way to end the
situation is to choose another distro that best addresses your goals.
Should that need to be accompanied by a post to a Gentoo mailing list,
the tone should be different. And polite, too.

Lucian Pintilie

--
gentoo-security [at] gentoo mailing list

npinkerton at gmail

Nov 10, 2004, 1:21 PM

Post #13 of 14 (979 views)
Permalink

Re: Re: Out of air (was: Let's blow the whistle) [In reply to]

On Wed, 10 Nov 2004 11:24:19 +0200, Lucian Pintilie
<lpintilie [at] montran> wrote:
> Peter,
>
> You keep talking about 1.5 years and a simple measure you know for
> correcting the problem. That doesn't put you in a good position either:
> *you* also had that time to do it, and still didn't do it. Then why are
> you shouting to the "Gentoo team"? And don't tell me they prevented you
> from solving the problem. As someone already said: you are part of the
> comunity and you have the power to contribute. If you repeatedly tried
> to submit code and nobody cared, then the reasonable way to end the
> situation is to choose another distro that best addresses your goals.
> Should that need to be accompanied by a post to a Gentoo mailing list,
> the tone should be different. And polite, too.
>
>
> Lucian Pintilie

amen brotha. preach on.

--
gentoo-security [at] gentoo mailing list

npinkerton at gmail

Nov 10, 2004, 1:21 PM

Post #14 of 14 (979 views)
Permalink

Re: Re: Out of air (was: Let's blow the whistle) [In reply to]

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads