On Tue, 10 Mar 2015 17:48:58 +0000 Patrick Schleizer <[email protected]> wrote:
> Hi, > > I am wondering why posts by Vladimir Diaz and Justin Cappos are not > visible on the gentoo-portage-dev mailing list archive. > > Lost in spam filter? > > Have you received them? > > Should the listmaster be contacted? > > Cheers, > Patrick > You must be subscribed to the list in order to post. No spam filter that I know of other than the above. Perhaps it's a blocking issue, I've heard some domains/subdomains cause issues and/or blocked or something along those lines. > Vladimir Diaz: > > Hi, > > > > I am a developer in the Secure Systems Lab at NYU. Our lab has > > collaborated with popular software update systems in the open-source > > community, including APT, yum, and YaST, to address security > > problems. More recently, we have been working on a flexible > > security framework co-developed with the Tor project that can be > > easily added to software updaters to transparently solve many of > > the known security flaws we have uncovered in software updaters. > > We would like to work with The Portage Development Project to > > better secure the Portage distribution system. > > > > TUF > > <https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems> > > (The Update Framework) is a library that can be added to an existing > > software update system and is designed to update files in a more > > secure manner. Many software updaters verify software updates with > > cryptographic signatures and hash functions, but they typically > > fail to protect against malicious attacks that target the metadata > > and update files presented to clients. A rollback attack is one > > such example, where an attacker tricks a client into installing > > older files than those the client has already seen (these older > > files may be vulnerable versions that have since been fixed). A > > full list of attacks and weaknesses the framework is designed to > > address is provided here > > <https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security> > > . > > > > Our website <http://theupdateframework.com/index.html> includes more > > information about TUF, including: papers > > <https://github.com/theupdateframework/tuf/tree/develop/docs/papers> > > and a specification > > <https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>. > > If you want to see how an existing project integrates TUF, there is > > a standards track proposal > > <https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract> > > to the Python community that you can review. A more rigorous > > proposal that requires more administrative work on the repository, > > but provides more security protections, is also available > > <https://www.python.org/dev/peps/pep-0480/>. > > > > Thanks, > > Vlad > > > > P.S. > > There is an informational Gentoo Linux Enhancement Proposal that > > references the security issues that our project addresses, but > > there hasn't been much recent activity. > > > > > > -- > > [email protected] > > PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935 > > -- > > > > -- Brian Dolbec <dolsen>
