On Fri, Jun 09, 2006 at 05:22:18PM -0400, Chris Gianelloni wrote:
> On Fri, 2006-06-09 at 22:51 +0200, Patrick Lauer wrote:
> > On Fri, 2006-06-09 at 16:14 -0400, Chris Gianelloni wrote:
> > [snip]
> > > > If someone wanted to exploit boxen he'd use a much simpler attack
> > > > vector ... our rsync mirrors are wide open. No need to secure the little
> > > > window over there when the front door is open ...
> > >
> > > Really? I'd like you to give me root on rsync.gentoo.org, then. What's
> > > that? You can't? What a wonder!
> >
> > I don't need that ...
> > Look, three-step plan to hacking Gentoo boxen:
> >
> > 1) open a few rsync mirrors and get them into the official rotation
>
> Umm... the rsync servers in rsync.gentoo.org are all controlled by infra
> now. If you're using another rsync server (read, untrusted) then you
> get what you deserve. ;]
>
Right.
Besides all distro suffer this same problem, indeed shouting that our mirror
system is a wide open door is far from being fair. This new project though
could be a nice attack vector, in the FAQ you state that you don't allow
eclasses, that's nice...but I can think thousand of other ways for
compromises without them using ebuilds.
Not pointing fingers here, just stating that if this is an "official" project
(whatever that means)...or even if it's not, much caution is advised
security-wise in who you trust and what you are going to put in the tree (and
most important what the perception of your authority/reliability will be
user-wise).
Cheers
--
Andrea Barisani <[EMAIL PROTECTED]> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-dev@gentoo.org mailing list
