Fernando J. Pereda’s blag

March 15, 2009

Bye-Bye Gentoo

Filed under: blag — Tags: — Fernando J. Pereda @ 6:23 pm

My retirement from Gentoo is complete now.

Good luck to everybody. I hope some people understand the real needs of Gentoo and where it should go. Even if I’m not planning to come back to Gentoo (either as a user or as a developer), I certainly hope the best for it.

Cheers.

— ferdy

October 6, 2008

Generated versions of PMS

Filed under: blag — Tags: , , , , , , — Fernando J. Pereda @ 12:13 pm

Yesterday I linked some PDF versions of PMS in its ‘home page’. This makes PMS more accessible to those that can’t or won’t install a proper TeX system since reading the LaTeX sources is a PITA.

I’ll generate and link versions approved by the Gentoo Council by checking out their signed tags and those versions that the PMS editors deem important. I’ll also link to current HEAD, but this won’t be automated so it might lag a bit if I’m extremely busy.

Also, for those that can’t be bothered reading technical documentation aimed at people implementing a package manager and want to know what’s new in EAPI2, Ciaran McCreesh has published a series of blag posts explaining the new features and whence they came. Make sure to take a look at What’s in EAPI 2?

— ferdy

June 29, 2008

Mood change, I’m happy today

Filed under: blag — Tags: , — Fernando J. Pereda @ 7:18 pm

I’m quite happy today. Not because I had lots of fun at yesterday’s party, for which I’m completely dead after having danced salsa for more than 3 hours. I’m really happy because the Gentoo Infrastructure Team investigated what the Exherbo team reported (see details in my latest post).

This, incidentally, means that nobody can act like a sheriff with complete impunity. I won’t comment on the outcome of it, not because I dislike it, but because I think it wouldn’t be fair after all. If someone is interested, they can read the bug themselves.

Update: Alexander wrote a followup post about the whole thing: Follow-Up: Attack on Exherbo.org machine. I can’t do anything else than joining him in his thanks to the Gentoo Infrastructure Team.

— ferdy

PS: Some people have shown disagreement with the way I write stuff (not with what I write about). It seems I’m overly negative and bad publicity for Gentoo. If you feel that way, I apologise. My intention is to give information that I honestly think is relevant about both Gentoo and myself. I’ll try to be less negative in future, even though I’ll still post about what I think is relevant and/or important.

June 28, 2008

Shame

Filed under: blag — Tags: , , — Fernando J. Pereda @ 4:57 pm

I can’t find a different word to describe this situation. I’m usually very proud of being part of Gentoo, even if I don’t agree with every single thing Gentoo does (hey, unlike others, I’m able to live with people disagreeing). But what happened yesterday is really really sad and shameful.

The explanation is long but, fortunately, Alexander wrote a nice blag post explaining what happened:

Attack on Exherbo.org Machine

Do read it. It is important to know the kind of people you work with, and the kind of people you trust certain resources to. I hope Gentoo does something about this. It is of such a bad taste that I don’t want to get started… You can follow the process here: https://bugs.gentoo.org/229895 . I really do hope Gentoo does something.

— ferdy

June 27, 2008

Poisonous

Filed under: blag — Tags: , — Fernando J. Pereda @ 11:55 pm

Examples of poisonous people that only contribute to having a bad working environment includes:

* solar shitlists zlin ferdy peper on his ballot
<astinus> wolf31o2: agaffney: Seeing as there appears to be an arms
    race between $new_asshat_distribution developers who're still part of Gentoo and
    $non_asshats, consider yourself nominated for the non-asshats team on Gentoo Council

Fortunately, nobody cares about poisonous people, of course.

— ferdy

May 27, 2008

What’s missing from latest GMN

Filed under: blag — Tags: , , — Fernando J. Pereda @ 11:07 am

Latest Gentoo Montly Newsletter is missing something… what is it?

Yeah, right. It doesn’t mention the fact that the council missed their metting and they should get the boot.

Gentoo is a joke these days. Trying to stuff shit under the carpet is surely not going to work forever.

— ferdy

May 3, 2008

On cooperating and paludis vulnerability

Filed under: blag — Tags: , , , — Fernando J. Pereda @ 11:31 am

Note: This was already published in my old blag but planet and wordpress insist on publishing it again. Sorry.

A serious security issue in paludis was brought to my attention recently, and I feel I should make you all aware. Apparently someone, with root access to a machine, can gain root access by installing or editing paludis config files.

For those interested, this is how it happened (times are GMT+1):

22:34 <@ferdy> bonsaikitten: can you give me any details regarding that
 security bug in paludis?
22:35 <+bonsaikitten> ferdy: it's so obvious you should have found it already
22:37 <@ferdy> bonsaikitten: I should, but I probably haven't
22:37 <+bonsaikitten> ferdy: well, as I am a moron I'm unable to coherently explain :)
22:37 <@ferdy> bonsaikitten: I mean, depends on whether we are talking about
a real security issue or about something we should document to avoid people
shooting themselves in the foot
22:39 <@ferdy> bonsaikitten: is that all you are going to tell me?
22:39 <+bonsaikitten> ferdy: come on, it's obvious. You're supposed to be smart ...
22:39 * bonsaikitten is not in a mood to explain
22:40 <@ferdy> bonsaikitten: you aren't really talking about the paludisbuild issue, are you?
22:41 <+bonsaikitten> mmh no, that's a different one
22:41 <@ferdy> k
22:41 <@ferdy> bonsaikitten: what are we talking about?
22:42 <@ferdy> bonsaikitten: you don't need to explain it... just say, in general 
terms, what the issue is
22:50 <@ferdy> bonsaikitten: so? care to give any useful hint?
22:50 <+bonsaikitten> ferdy: doesn't happen in portage compatibility mode
22:51 <+bonsaikitten> but I blame the vodka, hard to explain when *burp* *giggle*
22:52 <@ferdy> bonsaikitten: what's the impact?
22:53 <+bonsaikitten> ferdy: depends on how annoying the other person is
22:54 <+bonsaikitten> ferdy: worst case random file modification
22:58 <@ferdy> bonsaikitten: and we already agreed that we aren't talking about
the paludisbuild issue, right?
22:59 <@ferdy> bonsaikitten: if we aren't, I'll need more hints....
23:05 <@ferdy> bonsaikitten: can I get an attack vector?
23:05 <@ferdy> that shouldn't need lots of explaining... I can figure out that
part myself
23:19 <@ferdy> bonsaikitten: have you got that attack vector for me?
23:24 <+bonsaikitten> ferdy: look at configuration files, maybe you notice that
there's some exquisit code execution possible there
23:29 <@ferdy> bonsaikitten: you mean those config files that only root can
edit? I must be missing something here
23:29 <+bonsaikitten> ferdy: you are :)
23:29 <+bonsaikitten> not much, and it's basically the same flaw bashrc is
for portage
23:29 <+bonsaikitten> only that bashrc is config_protect'ed ...
23:30 <@ferdy> bonsaikitten: but for a package to clover those files, it must be
in a repo root added, right?
23:31 <+bonsaikitten> someone in the package mangler group, but yes
23:35 <@ferdy> bonsaikitten: but if you can change those files in the first place,
why clover them by adding a malicious repo with a malicious package that changes
those files?
23:35 <+bonsaikitten> ferdy: because it's very subtle
23:36 <@ferdy> moreover, if you can already do that, why not just make the
package install whatever backdoor you want?
23:37 <@ferdy> I mean, it is subtle, but why would anyone go the 'convoluted'
route? he is already able to edit those files (since he had to add that repo)
23:38 <+bonsaikitten> 'cause only paludis is affected and you will find it very
hard to trace
23:38 <+bonsaikitten> that makes it so tempting ...
23:40 <+bonsaikitten> just don't be surprised if it suddenly unmerges itself :)
23:41 <@ferdy> yeah... well...
23:41 <@ferdy> bonsaikitten: mind if I disclose this vulnerability in
 planet.gentoo.org?
23:42 <+bonsaikitten> go ahead
23:42 <@ferdy> ta
23:42 <+bonsaikitten> 't is even on the features page of the package mangler :)

This is a good lesson to learn today:

If you can edit files owned by root in a machine, you can get root access to that machine.

So the bottom line is: There is no vulnerability, if you can mangle paludis config files, you are already root so you don’t need to edit a file to run any command you want. Another lesson one can learn by reading that log is how to be really cooperative.

Ah, and before someone with a need to use cheap psychology asks, the intention of this blag post is to stop the FUD.

— ferdy

Blog at WordPress.com.