On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri <lssndrbarbi...@gmail.com>

> I have concerns about the inclusion of zoom in ::gentoo. For me it's more
> like a malware.
> From the hacker news feed you'll find out that:

> [1] zero day vulnerability found
[2] passwords are truncated to 32 bit
[3] previously sent data to facebook
[4] end to end traffic isn't encrypted
> [5] signed binary run unsigned script
[1], [2], [5] all seem like bugs and I'd expect upstream to fix at least
[1] and [5].  Note that in Gentoo [3] isn't directly relevant (this isn't
iOS) and neither is [5] in most cases as people don't run signed binaries
or use any kind of binary whitelisting in Gentoo.

[2] I think the article mentions the truncation is to 32 bytes (or '32
chars', but I assume each char is 1 byte for entropy sake.); not 32 bits.
Most password fields have a length limit (you cannot accept arbitrary long
passwords. If 32 characters isn't enough length to protect users then the
passwords are going to be useless anyway; most user passwords are
significantly less than 32 characters. This is significantly different than
limited to '32 bits' (which is 4 characters!) and would make brute forcing
passwords an obvious breeze; there is not sufficient entropy in 32 bits to
protect users.

[4] I agree the poor marketing is a problem. I think as Rich states later
in the thread it's possible we could provide more information here. As he
notes though, I'm not convinced this is reason not to package the software
in Gentoo from a policy perspective.

In general I expect that as long as Zoom has a gentoo maintainer and
upstream actually resolves outstanding security issues; I'm not really
aware of any policy hurdles they need to overcome to stay packaged in
Gentoo. Currently it has three maintainers[6]. If it sucks, convince them
to stop maintaining it ;)


> 1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1
> 2 https://news.ycombinator.com/item?id=22749706
> 3
> https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook
> 4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/
> 5 https://news.ycombinator.com/item?id=22746764

[6] https://packages.gentoo.org/packages/net-im/zoom

Reply via email to