Vladimir Diaz:
> After reviewing Portage's Github repository
> <
https://github.com/gentoo/portage> and discussing it with the team, we
> thought it might be better to first demonstrate a few attacks and submit a
> proof of concept of the integration that they can review (along with a
> proposal and documentation). We have tried email/public discussions with
> other open source projects, but progress tends to proceed at a slow pace.
> We might be overwhelming them with papers / documentation, which takes time
> to review. And sharing too little information leads to many questions.
> What do you think of our idea? Should we try a different approach?
>
> We can also start a dialogue by asking about their current setup. For
> example, what role does the "timestamp.chk" file play in their update
> system, and what other attacks are prevented? See
>
https://github.com/gentoo/portage/commit/d7c0bd69cc7d4ac9b1b45f1b30e07019bd716bd6
Hi Vladimir,
I would hope, that they believe you without demonstrating attacks, so
you can safe time writing code just for that.
Asking for more details before doing a bug report sounds sensible.
Your approach sounds good overall.
I am maintaining a Debian/Linux derivative myself (Whonix), so I can
understand both perspectives. Being overwhelmed by suggestions as
maintainer as well as getting through to other maintainers when
reporting issues. As well as I very much interested in brain research
and applying it for practical purposes.
For one, they don't know you. Due to the load of "invalid" reports,
first step must be to get through their metal filters. Few examples on
my techniques.
A philosophical invalid, yet practically most effective approach are
arguments from authority. Therefore try to quote people they already
respect. Example:
https://trac.torproject.org/projects/tor/ticket/7277
If that is not possible, make one yourself. Introduce your team, include
terms such as "professor". Don't push it. ;) I am sure, you'll get the
right balance. Link to related, previous work such as your
papers/research on package manager security that really lead to improved
security in various linux distributions.
Also a strategy of not overwhelming them with information at first post,
writing a concise report plus linking references worked best for me.
Examples:
https://trac.torproject.org/projects/tor/ticket/8751
https://trac.torproject.org/projects/tor/ticket/8170
Perhaps try a dual strategy. Contacting them directly as you planned
right now and starting with the public discussion where you answer
questions a bit later.
But you got actual experience with not just reporting such issues in
package managers, also working with dev teams getting them fixed. I
don't. So please don't put too much thought into my theoretical
considerations.
Cheers,
Patrick