The\u00a0recent efforts on\u00a0improving the\u00a0security of\u00a0different areas of\u00a0Gentoo have brought some arguments. Some time ago one of\u00a0the\u00a0developers has considered whether he would withstand physical violence if\u00a0an\u00a0attacker would use it in\u00a0order to\u00a0compromise Gentoo. A\u00a0few days later another developer has suggested that an\u00a0attacker could pay Gentoo developers to\u00a0compromise the\u00a0distribution. Is this a\u00a0real threat to\u00a0Gentoo? Are we all doomed?<\/p>\n
<\/p>\n
Before I answer this question, let me make an\u00a0important presumption. Gentoo is\u00a0a\u00a0community-driven<\/em> open source project. As\u00a0such, it has certain inherent weaknesses and\u00a0there is no\u00a0way around them<\/em> without changing what Gentoo fundamentally is. Those weaknesses are common to\u00a0all projects of\u00a0the\u00a0same nature.<\/p>\n Gentoo could indeed be compromised if developers are subject to\u00a0the\u00a0threat of\u00a0violence to\u00a0themselves or\u00a0their families. As\u00a0for\u00a0money, I don’t want to\u00a0insult anyone and\u00a0I don’t think it really matters. The\u00a0fact is, Gentoo is vulnerable to\u00a0any adversary resourceful enough<\/em>, and\u00a0there are certainly both easier and\u00a0cheaper ways than the\u00a0two mentioned. For\u00a0example, the\u00a0adversary could get a\u00a0new developer recruited, or\u00a0simply trick one of\u00a0the\u00a0existing developers into compromising the\u00a0distribution. It just takes one developer out of\u00a0~150.<\/p>\n As\u00a0I said, there is no\u00a0way around that without making major changes to the\u00a0organizational structure of\u00a0Gentoo. Those changes would probably do more harm to\u00a0Gentoo than good. We can just admit that we can’t fully protect Gentoo from focused attack of\u00a0a\u00a0resourceful adversary, and\u00a0all we can do is to\u00a0limit the\u00a0potential damage, detect it quickly and\u00a0counteract the\u00a0best we can. However, in\u00a0reality random probes and\u00a0script kiddie attacks that focus on\u00a0trivial technical vulnerabilities are more likely, and\u00a0that’s what the\u00a0security efforts end up focusing on.<\/p>\n","protected":false},"excerpt":{"rendered":" The\u00a0recent efforts on\u00a0improving the\u00a0security of\u00a0different areas of\u00a0Gentoo have brought some arguments. Some time ago one of\u00a0the\u00a0developers has considered whether he would withstand physical violence if\u00a0an\u00a0attacker would use it in\u00a0order to\u00a0compromise Gentoo. A\u00a0few days later another developer has suggested that an\u00a0attacker could pay Gentoo developers to\u00a0compromise the\u00a0distribution. Is this a\u00a0real threat to\u00a0Gentoo? Are we all doomed?<\/p>\n","protected":false},"author":137,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/762"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/users\/137"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/comments?post=762"}],"version-history":[{"count":12,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/762\/revisions"}],"predecessor-version":[{"id":788,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/762\/revisions\/788"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/media?parent=762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/categories?post=762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/tags?post=762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}