And I would like to add that sometimes you don't have a choice - if someone who is paying you says to use zoom, there is no choice - but I would rather use gentoo than fire up the MS laptop..

What gentoo can do is mitigate the risk - which I need to look into to see whats done in the ebuild over a default install of their binary..

William K.

On 2/4/20 8:53 am, Alec Warner wrote:
On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri < <>> wrote:

    I have concerns about the inclusion of zoom in ::gentoo. For me
    it's more like a malware.
    From the hacker news feed you'll find out that:

    [1] zero day vulnerability found

    [2] passwords are truncated to 32 bit

    [3] previously sent data to facebook

    [4] end to end traffic isn't encrypted
    [5] signed binary run unsigned script

[1], [2], [5] all seem like bugs and I'd expect upstream to fix at least [1] and [5].  Note that in Gentoo [3] isn't directly relevant (this isn't iOS) and neither is [5] in most cases as people don't run signed binaries or use any kind of binary whitelisting in Gentoo.

[2] I think the article mentions the truncation is to 32 bytes (or '32 chars', but I assume each char is 1 byte for entropy sake.); not 32 bits. Most password fields have a length limit (you cannot accept arbitrary long passwords. If 32 characters isn't enough length to protect users then the passwords are going to be useless anyway; most user passwords are significantly less than 32 characters. This is significantly different than limited to '32 bits' (which is 4 characters!) and would make brute forcing passwords an obvious breeze; there is not sufficient entropy in 32 bits to protect users.

[4] I agree the poor marketing is a problem. I think as Rich states later in the thread it's possible we could provide more information here. As he notes though, I'm not convinced this is reason not to package the software in Gentoo from a policy perspective.

In general I expect that as long as Zoom has a gentoo maintainer and upstream actually resolves outstanding security issues; I'm not really aware of any policy hurdles they need to overcome to stay packaged in Gentoo. Currently it has three maintainers[6]. If it sucks, convince them to stop maintaining it ;)




Reply via email to