On Fri, 2006-06-09 at 16:14 -0400, Chris Gianelloni wrote: [snip] > > If someone wanted to exploit boxen he'd use a much simpler attack > > vector ... our rsync mirrors are wide open. No need to secure the little > > window over there when the front door is open ... > > Really? I'd like you to give me root on rsync.gentoo.org, then. What's > that? You can't? What a wonder!
I don't need that ... Look, three-step plan to hacking Gentoo boxen: 1) open a few rsync mirrors and get them into the official rotation 2) replace ebuilds on the server with your preferred rootkit installer 3) harvest all the zombies you just got Since not all ebuilds are signed and signing is not enforced portage will not throw any errors if I take care of a few things (fixing manifests etc.). So any person running an rsync mirror has implicitly the same level of trust as a dev. As for the rest of your email, I'd appreciate it if you didn't take this so personal. There's no need to belittle or insult others to push your agenda, it should stand on its own technical merits. Patrick -- Stand still, and let the rest of the universe move
signature.asc
Description: This is a digitally signed message part
