Re: [gentoo-dev] zoom concerns

2020-04-08 Thread Kent Fredric
On Wed, 8 Apr 2020 17:39:54 + Peter Stuge wrote: > E.g. for auditing the installed values of these could be worth a lot. Only as far as analyising "why was this package installed, currently the metadata says its un-audited!". But for things like "affected by CVE/Bug", the very nature of

Re: [gentoo-dev] zoom concerns

2020-04-08 Thread Peter Stuge
Kent Fredric wrote: > Syntax above not expected verbatim, just food for thought, I think this is a really good and useful idea. I would love to see it. > the nature of this metadata is that it SHOULD NOT be in the ebuild > itself, as it is inherently "repo based", the installed values of >

Re: [gentoo-dev] zoom concerns

2020-04-08 Thread Kent Fredric
On Tue, 07 Apr 2020 14:44:04 +0100 Roy Bamford wrote: > Gentoo must not single out any package for special treatment. Indeed. Cases like this just demonstrate that something about the way we do things is somehow inadequate. The idea that "what we have works" is something we get away with,

Re: [gentoo-dev] zoom concerns

2020-04-08 Thread Kent Fredric
On Tue, 7 Apr 2020 12:47:33 +0200 Thomas Deutschmann wrote: > Sure, that could have banal reasons like "No one audited the Linux > version yet". But in security you don't issue warnings if you aren't > sure. Because if you make false statements people will no longer trust > you. But trust is

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Roy Bamford
On 2020.04.07 09:48, Ulrich Mueller wrote: > > On Tue, 07 Apr 2020, Samuel Bernardo wrote: > > > No assurance is also a level that takes place in the lower ranking > > level. If someone needs to use zoom because they are demanded by > their > > boss I think that would be even more useful to

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Thomas Deutschmann
On 2020-04-07 12:35, Alessandro Barbieri wrote: > What about moving all of these binary-only packages in an official overlay > (made for the scope) or in GURU? And which problem is that going to solve? Do we want to tell world, "Look! Gentoo is the most secure distribution! We have zero

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Thomas Deutschmann
On 2020-04-07 10:48, Ulrich Mueller wrote: > We could add a README.gentoo file with our caveats. It won't be perfect, > but maybe better than nothing. (And certainly better than displaying a > warning on every upgrade, which will eventually annoy people [1].) I am strictly against something like

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Alessandro Barbieri
What about moving all of these binary-only packages in an official overlay (made for the scope) or in GURU? Il Gio 2 Apr 2020, 02:48 Rich Freeman ha scritto: > On Wed, Apr 1, 2020 at 8:18 PM Alessandro Barbieri > wrote: > > > > I have concerns about the inclusion of zoom in ::gentoo. For me

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Ulrich Mueller
> On Tue, 07 Apr 2020, Samuel Bernardo wrote: > No assurance is also a level that takes place in the lower ranking > level. If someone needs to use zoom because they are demanded by their > boss I think that would be even more useful to know that it is possible > to install zoom in Gentoo and

Re: [gentoo-dev] zoom concerns

2020-04-07 Thread Kent Fredric
On Mon, 6 Apr 2020 23:55:07 +0100 Samuel Bernardo wrote: > This is the kind of useful information that we could collect from the > QA, extending the greatness of the best distro ever made. The > availability of software from a distro is better than installing it > standalone, allowing to share

Re: [gentoo-dev] zoom concerns

2020-04-06 Thread Samuel Bernardo
Hi Kent, On 4/6/20 2:08 PM, Kent Fredric wrote: > So no, nobody can actually make assurances of this software, we can > only stipulate which cautions we know are warranted. No assurance is also a level that takes place in the lower ranking level. If someone needs to use zoom because they are

Re: [gentoo-dev] zoom concerns

2020-04-06 Thread Kent Fredric
On Sun, 5 Apr 2020 17:11:01 +0100 Samuel Bernardo wrote: > Sorry about my comment, but couldn't that be solved choosing the right > profile or opting for an official overlay, raking the assurance level of > those? If zoom is a binary only package, not opensource, we can't make any assurances.

Re: [gentoo-dev] zoom concerns

2020-04-05 Thread Samuel Bernardo
On 2020-04-04 15:57, Kent Fredric wrote: > Depends how concerned you are about VM busting exploits contaminating > the host. > > ( Maybe not Zoom in particular, but with regard to the general theme of > "risky apps on a valued system" ) Sorry about my comment, but couldn't that be solved choosing

Re: [gentoo-dev] zoom concerns

2020-04-04 Thread Kent Fredric
On Thu, 2 Apr 2020 10:01:57 +0200 Michal Prívozník wrote: > Alternatively, you can set up a VM that contains nothing but the bare > minimum required to run app X and assign webcam to it, for instance. > Having said that, I'd still love the packaging system to install the app > as it resolves all

Re: [gentoo-dev] zoom concerns

2020-04-04 Thread Kent Fredric
On Wed, 1 Apr 2020 17:53:39 -0700 Alec Warner wrote: > you cannot accept arbitrary long > passwords Sure you can, as long as you're not storing them anywhere, and are instead, storing their checksum of some kind. Then the only limitations really are how much memory and time you have to locally

Re: [gentoo-dev] zoom concerns

2020-04-02 Thread Thomas Deutschmann
Hi, it's true that zoom is currently getting a lot of attention. It all started with the iOS application using Facebook SDK to provide login through Facebook and their TOS/privacy statement. That triggered a lot of (security) researchers who are currently sitting at home like most people in

Re: [gentoo-dev] zoom concerns

2020-04-02 Thread Ulrich Mueller
> On Thu, 02 Apr 2020, Rich Freeman wrote: > I guess we could stick an einfo in the post-install messages, Not sure if that's necessary. Zoom is a proprietary, closed-source, fetch-restricted package, so users should know that they cannot expect the same level of quality as for free

Re: [gentoo-dev] zoom concerns

2020-04-02 Thread Ulrich Mueller
> On Thu, 02 Apr 2020, Alessandro Barbieri wrote: > I have concerns about the inclusion of zoom in ::gentoo. For me it's > more like a malware. Gentoo is about choice. If users want to use Zoom (or have to, because their employer schedules a meeting using that platform) then it is not our

Re: [gentoo-dev] zoom concerns

2020-04-02 Thread Michal Prívozník
On 2. 4. 2020 7:51, Michał Górny wrote: > On Thu, 2020-04-02 at 10:13 +0800, William Kenworthy wrote: >> And I would like to add that sometimes you don't have a choice - if >> someone who is paying you says to use zoom, there is no choice > > You always have a choice. You can live poor and

Re: [gentoo-dev] zoom concerns

2020-04-01 Thread Michał Górny
On Thu, 2020-04-02 at 10:13 +0800, William Kenworthy wrote: > And I would like to add that sometimes you don't have a choice - if > someone who is paying you says to use zoom, there is no choice You always have a choice. You can live poor and happy! ;-) > - but I > would rather use gentoo

Re: [gentoo-dev] zoom concerns

2020-04-01 Thread William Kenworthy
And I would like to add that sometimes you don't have a choice - if someone who is paying you says to use zoom, there is no choice - but I would rather use gentoo than fire up the MS laptop.. What gentoo can do is mitigate the risk - which I need to look into to see whats done in the ebuild

Re: [gentoo-dev] zoom concerns

2020-04-01 Thread Alec Warner
On Wed, Apr 1, 2020 at 5:18 PM Alessandro Barbieri wrote: > I have concerns about the inclusion of zoom in ::gentoo. For me it's more > like a malware. > From the hacker news feed you'll find out that: > > [1] zero day vulnerability found > [2] passwords are truncated to 32 bit > [3] previously

Re: [gentoo-dev] zoom concerns

2020-04-01 Thread Rich Freeman
On Wed, Apr 1, 2020 at 8:18 PM Alessandro Barbieri wrote: > > I have concerns about the inclusion of zoom in ::gentoo. For me it's more > like a malware. > From the hacker news feed you'll find out that: I guess we could stick an einfo in the post-install messages, but if you're joining a zoom

[gentoo-dev] zoom concerns

2020-04-01 Thread Alessandro Barbieri
I have concerns about the inclusion of zoom in ::gentoo. For me it's more like a malware. >From the hacker news feed you'll find out that: [1] zero day vulnerability found [2] passwords are truncated to 32 bit [3] previously sent data to facebook [4] end to end traffic isn't encrypted [5] signed