And I would like to add that sometimes you don't have a choice - if
someone who is paying you says to use zoom, there is no choice - but I
would rather use gentoo than fire up the MS laptop..
What gentoo can do is mitigate the risk - which I need to look into to
see whats done in the ebuild over a default install of their binary..
William K.
On 2/4/20 8:53 am, Alec Warner wrote:
On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri
<lssndrbarbi...@gmail.com <mailto:lssndrbarbi...@gmail.com>> wrote:
I have concerns about the inclusion of zoom in ::gentoo. For me
it's more like a malware.
From the hacker news feed you'll find out that:
[1] zero day vulnerability found
[2] passwords are truncated to 32 bit
[3] previously sent data to facebook
[4] end to end traffic isn't encrypted
[5] signed binary run unsigned script
[1], [2], [5] all seem like bugs and I'd expect upstream to fix at
least [1] and [5]. Note that in Gentoo [3] isn't directly relevant
(this isn't iOS) and neither is [5] in most cases as people don't run
signed binaries or use any kind of binary whitelisting in Gentoo.
[2] I think the article mentions the truncation is to 32 bytes (or '32
chars', but I assume each char is 1 byte for entropy sake.); not 32
bits. Most password fields have a length limit (you cannot accept
arbitrary long passwords. If 32 characters isn't enough length to
protect users then the passwords are going to be useless anyway; most
user passwords are significantly less than 32 characters. This is
significantly different than limited to '32 bits' (which is 4
characters!) and would make brute forcing passwords an obvious breeze;
there is not sufficient entropy in 32 bits to protect users.
[4] I agree the poor marketing is a problem. I think as Rich states
later in the thread it's possible we could provide more information
here. As he notes though, I'm not convinced this is reason not to
package the software in Gentoo from a policy perspective.
In general I expect that as long as Zoom has a gentoo maintainer and
upstream actually resolves outstanding security issues; I'm not really
aware of any policy hurdles they need to overcome to stay packaged in
Gentoo. Currently it has three maintainers[6]. If it sucks, convince
them to stop maintaining it ;)
-A
1 https://techcrunch.com/2020/04/01/zoom-doom/?guccounter=1
2 https://news.ycombinator.com/item?id=22749706
3
https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook
4 https://theintercept.com/2020/03/31/zoom-meeting-encryption/
5 https://news.ycombinator.com/item?id=22746764
[6] https://packages.gentoo.org/packages/net-im/zoom
