Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

The solution and hopefully the end.

  

 
Gentoo security RSS feed   Index | Next | Previous | View Threaded


klieber at gentoo

Nov 10, 2004, 6:52 AM

Post #1 of 18 (1179 views)
Permalink
The solution and hopefully the end.
On Tue, Nov 09, 2004 at 08:53:21PM -0800 or thereabouts, Chris Haumesser wrote:
> Devs, what have you to lose by helping us do this? I don't think I
> understand the resistance, outside of the emotional reaction triggered
> by this thread's initiator.

The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here. I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.

This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do. I
think it's safe to say that all of the other developers share that same
motivation. If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.

You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction. Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless. That's fine -- I don't begrudge them because I do what I do
because I enjoy it. So, when taking a stand on what you feel to be an
important issue, keep this in mind: It does not matter if you are morally
right. It does not matter if the issue is serious. If you take the fun
out of developing this distro, Gentoo will die, period.

Anyway, enough preaching. This thread has gone on long enough. The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync. (/snapshots directory on your
favorite source mirror)

This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure. emerge-webrsync will be hacked up to provide verification
support for it. I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution. It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.

--kurt

P.S. I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred. If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...


anthony.metcalf at anferny

Nov 10, 2004, 7:00 AM

Post #2 of 18 (1149 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wed, 10 Nov 2004 13:52:02 +0000
Kurt Lieber <klieber [at] gentoo> wrote:

> The original fix suggested won't work for a number of reasons that I'm >not
> going to bother to re-hash here.

re-hash...made me laugh.

>The solution that's been agreeed upon is signing the daily snapshots >that we
> provide for users who can't use rsync. (/snapshots directory on your
> favorite source mirror)
>
> robust verification solution in portage itself.

That's so simple it hurts. :)

Thanks Kurt.


cdfrey at netdirect

Nov 10, 2004, 7:24 AM

Post #3 of 18 (1150 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wed, Nov 10, 2004 at 01:52:02PM +0000, Kurt Lieber wrote:
> The original fix suggested won't work for a number of reasons that I'm not
> going to bother to re-hash here. I did suggest an alternate solution that
> I think is going to work and Peter has agreed to write the code to
> implement it.
[snip]
> This thread has gone on long enough. The
> solution that's been agreeed upon is signing the daily snapshots that we
> provide for users who can't use rsync. (/snapshots directory on your
> favorite source mirror)

Fantastic idea! If you need help writing or testing this script, you guys
know where to find me. :-) I'm not a python guru, but the main script
shouldn't need much more than bash.

Thanks,
- Chris


--
gentoo-security [at] gentoo mailing list


gary at linuxforce

Nov 10, 2004, 11:15 AM

Post #4 of 18 (1149 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wed, 10 Nov 2004, Kurt Lieber wrote:
> This entire thread has been very demotivating to me as a Gentoo developer.
> Please keep in mind that I donate my time because I enjoy what I do. I
> think it's safe to say that all of the other developers share that same
> motivation. If you take the enjoyment out of developing Gentoo, it's going
> to die off rather quickly.

I just want to say that I *really* appreciate every minute that the Gentoo
developers spend on Gentoo, especially the Gentoo SPARC team. You guys
deserve much more credit than you are given. I, for one, will be tipping
a glass of fine beer tonight in your honor. :-)

To Kurt and everyone else - THANK YOU.



--
gentoo-security [at] gentoo mailing list


ixion at cfl

Nov 10, 2004, 12:02 PM

Post #5 of 18 (1150 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
Agreed!!! You Gentoo Developers are terrific! Never before has a distro
matched Gentoo.. the community has been so wonderful.. I am now running
(between work and home) almost a dozen Gentoo boxes, and love it.

Keep up the good work, Developers. Don't let one bad apple ruin it for you
(there's bound to be more of them as Gentoo gets more popular,
unfortunately). Just remember all the positive notes you get from users...

And a note to the users: let's let the developers know how much we
appareciate them a bit more often.. ;)

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>> This entire thread has been very demotivating to me as a Gentoo
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do. I
>> think it's safe to say that all of the other developers share that same
>> motivation. If you take the enjoyment out of developing Gentoo, it's
>> going
>> to die off rather quickly.
>
> I just want to say that I *really* appreciate every minute that the Gentoo
> developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> deserve much more credit than you are given. I, for one, will be tipping
> a glass of fine beer tonight in your honor. :-)
>
> To Kurt and everyone else - THANK YOU.
>
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>



--
gentoo-security [at] gentoo mailing list


mgruenb at gmx

Nov 10, 2004, 12:20 PM

Post #6 of 18 (1149 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
Couldn't agree more! You developers are doing a great job! Please keep
up the great work!

In order to show how much I appreciate your work, I just bought some
stuff from the Gentoo store. I would like to encourage everyone who
enjoys Gentoo as much as I do to do the same!

Please help to keep Kurt and the other developers motivated!

Cheers,

Michael.


On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
>
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
>
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)



--
gentoo-security [at] gentoo mailing list


sequel at neofreak

Nov 10, 2004, 12:26 PM

Post #7 of 18 (1150 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
There has been a lot of negative mail in this thread so another positive
may be welcome!

I would like to let know all the gentoo devs. reading this thread that i
highly appreciate the great works you have done for us, the community,
in the past and that you'll continue to deliver.

I've been using Linux (in fact several distro.) for about ten years now
and Gentoo is by far the one that fills up all my need (even security!).

Thanks to all gentoo devs. for all the time they gave to the community!

On Wed, 2004-11-10 at 14:02, Joey McCoy wrote:
> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> matched Gentoo.. the community has been so wonderful.. I am now running
> (between work and home) almost a dozen Gentoo boxes, and love it.
>
> Keep up the good work, Developers. Don't let one bad apple ruin it for you
> (there's bound to be more of them as Gentoo gets more popular,
> unfortunately). Just remember all the positive notes you get from users...
>
> And a note to the users: let's let the developers know how much we
> appareciate them a bit more often.. ;)
>
> >
> > On Wed, 10 Nov 2004, Kurt Lieber wrote:
> >> This entire thread has been very demotivating to me as a Gentoo
> >> developer.
> >> Please keep in mind that I donate my time because I enjoy what I do. I
> >> think it's safe to say that all of the other developers share that same
> >> motivation. If you take the enjoyment out of developing Gentoo, it's
> >> going
> >> to die off rather quickly.
> >
> > I just want to say that I *really* appreciate every minute that the Gentoo
> > developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> > deserve much more credit than you are given. I, for one, will be tipping
> > a glass of fine beer tonight in your honor. :-)
> >
> > To Kurt and everyone else - THANK YOU.
> >
> >
> >
> > --
> > gentoo-security [at] gentoo mailing list
> >
> >
>
>
>
> --
> gentoo-security [at] gentoo mailing list
>


--
gentoo-security [at] gentoo mailing list


ixion at cfl

Nov 10, 2004, 12:57 PM

Post #8 of 18 (1149 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
Oh cool. I didn't realize buying Gentoo t-shirts and things helped the
developers so much. I will most definitely be purchasing some merchandise,
then!

Btw, I forgot to add that I'm a security nut (often referred to as a
'pedantic' security nut;) ), and Gentoo is the ONLY distro that I've found
to suffice my security needs and it is QUITE easy to implement them
compared to other distros.. :)

> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>> matched Gentoo.. the community has been so wonderful.. I am now running
>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>
>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>> you
>> (there's bound to be more of them as Gentoo gets more popular,
>> unfortunately). Just remember all the positive notes you get from
>> users...
>>
>> And a note to the users: let's let the developers know how much we
>> appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>



--
gentoo-security [at] gentoo mailing list


gcombe at co

Nov 10, 2004, 2:22 PM

Post #9 of 18 (1151 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
that is a great idea.... I think I will follow suit and buy a thing or two
of gentoo... As well, I enjoy gentoo and the base principles. choice....
it all about choice. That is why gentoo works for me.

Thanks to devs who have put in the time and hard work.

cheers.
----- Original Message -----
From: "Michael Gruenberger" <mgruenb [at] gmx>
To: <gentoo-security [at] lists>
Sent: Wednesday, November 10, 2004 12:20 PM
Subject: Re: [gentoo-security] The solution and hopefully the end.


> Couldn't agree more! You developers are doing a great job! Please keep
> up the great work!
>
> In order to show how much I appreciate your work, I just bought some
> stuff from the Gentoo store. I would like to encourage everyone who
> enjoys Gentoo as much as I do to do the same!
>
> Please help to keep Kurt and the other developers motivated!
>
> Cheers,
>
> Michael.
>
>
> On Wed, 2004-11-10 at 19:02, Joey McCoy wrote:
> > Agreed!!! You Gentoo Developers are terrific! Never before has a distro
> > matched Gentoo.. the community has been so wonderful.. I am now running
> > (between work and home) almost a dozen Gentoo boxes, and love it.
> >
> > Keep up the good work, Developers. Don't let one bad apple ruin it for
you
> > (there's bound to be more of them as Gentoo gets more popular,
> > unfortunately). Just remember all the positive notes you get from
users...
> >
> > And a note to the users: let's let the developers know how much we
> > appareciate them a bit more often.. ;)
>
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>



--
gentoo-security [at] gentoo mailing list


william.barnett at cchmc

Nov 10, 2004, 2:57 PM

Post #10 of 18 (1150 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
At the risk of being repetitive...

Ditto! (Oh and I just bought some Gentoo gear of my own. I guess I had
better visit OpenBSD.org while I'm at it!!!)

Really, "Thanks!" to all contributors,

Bill - repentant leech
(Unrepentant list lurker)

On or about 11/10/04, many folks wrote:

> Thanks to devs who have put in the time and hard work.
>
> cheers.

>> Couldn't agree more! You developers are doing a great job! Please keep
>> up the great work!

>>> Agreed!!! You Gentoo Developers are terrific! Never before has a distro
>>> matched Gentoo.. the community has been so wonderful.. I am now running
>>> (between work and home) almost a dozen Gentoo boxes, and love it.
>>>
>>> Keep up the good work, Developers. Don't let one bad apple ruin it for
>>> you



--
gentoo-security [at] gentoo mailing list


lists at halffull

Nov 10, 2004, 3:17 PM

Post #11 of 18 (1149 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wed, Nov 10, 2004 at 11:15:11AM -0700, Gary Nichols wrote:
> I just want to say that I *really* appreciate every minute that the Gentoo
> developers spend on Gentoo, especially the Gentoo SPARC team. You guys
> deserve much more credit than you are given. I, for one, will be tipping
> a glass of fine beer tonight in your honor. :-)

Gentoo is the only distribution/OS that's held my interest and satisfied my computing
needs, and it's all thanks to the devs. I try to do my part when I can to repay the
community, but without our wonderful devs we wouldn't be here. Thanks to all of you.
(And don't let the idiots get you down. Most of us really do appreciate you.)
Tom


tradergt at smelser

Nov 10, 2004, 3:20 PM

Post #12 of 18 (1148 views)
Permalink
Re: Re: The solution and hopefully the end. [In reply to]
On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:

> Gentoo is the only distribution/OS that's held my interest and satisfied my
> computing needs, and it's all thanks to the devs. I try to do my part when
> I can to repay the community, but without our wonderful devs we wouldn't be
> here. Thanks to all of you. (And don't let the idiots get you down. Most
> of us really do appreciate you.) Tom

Who is an idiot by the way? I am curious who your directing this comment to.

Jeff


dcocos at gmail

Nov 10, 2004, 3:26 PM

Post #13 of 18 (1148 views)
Permalink
Re: Re: The solution and hopefully the end. [In reply to]
On Wed, 10 Nov 2004 16:20:35 -0600, Jeff Smelser <tradergt [at] smelser> wrote:
> On Wednesday 10 November 2004 04:17 pm, Thomas Kirchner wrote:
>
> > Gentoo is the only distribution/OS that's held my interest and satisfied my
> > computing needs, and it's all thanks to the devs. I try to do my part when
> > I can to repay the community, but without our wonderful devs we wouldn't be
> > here. Thanks to all of you. (And don't let the idiots get you down. Most
> > of us really do appreciate you.) Tom
>
> Who is an idiot by the way? I am curious who your directing this comment to.
>
> Jeff
>

The idiots are the people who will not let this thread die.

--
gentoo-security [at] gentoo mailing list


lists at halffull

Nov 10, 2004, 4:42 PM

Post #14 of 18 (1151 views)
Permalink
Re: Re: The solution and hopefully the end. [In reply to]
On Wed, Nov 10, 2004 at 04:20:35PM -0600, Jeff Smelser wrote:
> Who is an idiot by the way? I am curious who your directing this comment to.

I'm sure the devs have occasionally been frustrated by people's actions or comments.
They're doing this for fun, and sometimes users don't understand that. I try not to show
my hard-headed side here, even when images of 'rtfm' flash through my mind... one of the
best parts of Gentoo is the helpful community.
We all have our people that get to us - though I bet ciaranm's list is longer than most :)
Tom


computer at jacox

Nov 10, 2004, 6:16 PM

Post #15 of 18 (1148 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
Gary Nichols wrote:

>
> On Wed, 10 Nov 2004, Kurt Lieber wrote:
>
>> This entire thread has been very demotivating to me as a Gentoo
>> developer.
>> Please keep in mind that I donate my time because I enjoy what I do. I
>> think it's safe to say that all of the other developers share that same
>> motivation.
>
>
> I just want to say that I *really* appreciate every minute that the
> Gentoo developers spend on Gentoo, especially the Gentoo SPARC team.
> You guys deserve much more credit than you are given. I, for one,
> will be tipping a glass of fine beer tonight in your honor. :-)


Hear, hear. As a (heretofore silent) Gentoo user for about two years, I
feel certain the vast majority of us feel the way that Gary Nichols does
and greatly appreciate the work you do.

--
gentoo-security [at] gentoo mailing list


jstubbs at work-at

Nov 10, 2004, 6:19 PM

Post #16 of 18 (1146 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wednesday 10 November 2004 22:52, Kurt Lieber wrote:
> emerge-webrsync will be hacked up to provide verification support for it. I
> don't have any commitments from the portage devs that these changes will be
> included (emerge-webrsync is part of portage) so this may end up being an
> unsupported, use-at-your-own-risk solution.

emerge-webrsync is on it's way out to be integrated with portage - already in
CVS actually - but the checking of a manifest can be integrated just as
easily providing the "standard" PORTAGE_GPG_DIR et al configuration is used.
Consider this "official" commitment. :)

Regards,
Jason Stubbs

--
gentoo-security [at] gentoo mailing list


simons at cryp

Nov 10, 2004, 10:45 PM

Post #17 of 18 (1148 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
Kurt Lieber writes:

> The original fix suggested won't work for a number of
> reasons that I'm not going to bother to re-hash here.

I'd like to fill that little blank in.

The reason why 99.9% of the Gentoo users can't authenticate
any of the software they use is that some high-profile
Gentoo system administrator is too dumb to realize that ...

(1) you don't need to generate hashes for any of the files
that are covered by the manifests, because -- surprise
-- the manifests do contain their hashes already.

(2) you don't need to regenerate a hash when the file
hasn't changed since the last time you generated one.

(3) adding a single command to CVSROOT/commitinfo would
generate a hash for every file the moment a change was
committed so that there was absolutely no timing
problem and almost no increase in load on the server.


> Quite frankly, a lot of the users out there are leeches
> who don't provide anything back to the Gentoo community,
> but consume our software nonetheless.

Since this comment is obviously directed at me, I suggest
you grep your unauthenticated Portage database for my name,
dumb-ass. Quite frankly, not everybody is as hung up on what
he all does for Gentoo and mentions it at every second
opportunity.


> P.S. I do not want anyone to think that this solution is
> being implemented because of the bitching and screaming
> that occurred.

No. It is implemented because I did it.


I apologize for flaming on the list, but after being lied
to, being called an asshole, being called a jackass, being
called a public stink, being told to fuck off, and all that
because I dare request that someone simply stops standing in
the way when others are trying to increase the security of
Gentoo's users -- and that on the SECURITY mailing list, for
crying out loud --, I really don't feel there is any need to
be polite anymore.

And please don't misunderstand me. There are people who
deserved it a LOT more to be flamed than Kurt. Definitely.
But some of those guys are *so* dumb that it's really not
worth it.

And now I'll do what some real tough security experts here
wanted all along. I'll cease posting.

Until next time.

Peter


--
gentoo-security [at] gentoo mailing list


pauldv at gentoo

Nov 11, 2004, 3:56 AM

Post #18 of 18 (1151 views)
Permalink
Re: The solution and hopefully the end. [In reply to]
On Wednesday 10 November 2004 14:52, Kurt Lieber wrote:
> Anyway, enough preaching. This thread has gone on long enough. The
> solution that's been agreeed upon is signing the daily snapshots that
> we provide for users who can't use rsync. (/snapshots directory on
> your favorite source mirror)

All right, repeating it is not usefull.

>
> This provides the ability to verify the integrity of every single file
> under /usr/portage/ and requires very little changes to our existing
> infrastructure. emerge-webrsync will be hacked up to provide
> verification support for it. I don't have any commitments from the
> portage devs that these changes will be included (emerge-webrsync is
> part of portage) so this may end up being an unsupported,
> use-at-your-own-risk solution. It does not take away from or alter the
> plans to implement a much better, more robust verification solution in
> portage itself.

Well, finally some useable solution. I'm fairly confident that the portage
devs will support it. I think it can be an acceptable measure until the
final measures are finalized.

Paul

> P.S. I do not want anyone to think that this solution is being
> implemented because of the bitching and screaming that occurred. If
> someone had posted a message to the list before all this broke out
> suggesting this solution and volunteering to write the code for it, it
> would be in place by now. That's another way of saying that we didn't
> have to go through all this unpleasantness...

ps. I'm fairly confident that all the bashing has in general been
counterproductive. I certainly have still about 100 mails on the mailing
list laying about, which I don't intend to read. I don't care much about
flamewars, and might certainly have missed productive suggestions.

At least now there is a good temporary measure, and we can now focus on
how the keychain maintenance can be handled (for the final solution)

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv [at] gentoo
Homepage: http://www.devrieze.net

Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.