adaptive gentoo reacts :)

i lack the time for an in-depth coverage, but it looks like the recent security issue had a beneficial effect in that it made some more people think about the future development inside gentoo :) nice!

portage-ng requirements sheet (natural language, sure ;). it’s really time for a re-engineered, modular architecture as a) this is probably a pre-condition for any production-quality package signing feature (now: module) in portage b) modularity will improve manageability and quality assurance of portage-ng in general
gentoo release roadmap 2004

regarding the compromised rsync mirror: the attackers seem to have exploited a heap overflow in rsync (glsa: exploitable heap overflow in rsync) to gain access to the box and the recent brk() vuln to gain root privileges. (btw another nice novelty, gentoo now lists glsas on a dedicated web page. yet another thing i’ve been asking for yesterday fullfilled today. thanks! :).

now we know what kind of exploit was used [my assumption that this might well concern all of us who run gentoo was absolutely right] and which box was compromised. i think we can qualify this as “full disclosure”).

all in all: much better now, folks! :)

(see also the news on ln -s)

[note: this server always runs the most current software available. if there are any security announcements (bugtraq, full-disclosure, glsa) regarding software used on this server, i usually update the said software within minutes/hours. further, it’s hardened against some kind of attacks and constantly monitored.]


Leave a Reply

Your email address will not be published. Required fields are marked *

6 × 1 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.