are gentoo machines more likely to be hacked?

[rajiv]

while i sit here waiting for my slow powermac 6400 to finish an 'emerge -u world' i can't help but wonder if gentoo machines are more likely to be hacked if a known exploit comes out.

consider this scenario: there is a remote hole in some package. an exploit and the source code for the fix are released to everyone at the same time. binary distribution users wait for their distribution owners or someone else to compile the fix and release a binary package. they download the package and install.

however, gentoo users have to download the fix and then compile it themselves, then install. now if you're a gentoo user with a modern (read: fast) machine, you'll be patched in about the same time as a binary distribution user. but if your gentoo machine is old (read: slow) it could be a while before you have the patch installed.

so unless gentoo users are running faster machines than binary distribution users, more gentoo machines will be exploitable for a longer period of time.

thoughts?

[rac]

Shut down the vulnerable server process during the recompilation.
_________________
For every higher wall, there is a taller ladder

[delta407]

[pjp]

Also consider how quickly you usually know about the announcements and fixes. I personally never happen to be using my computer when they come out. I check my mail and see GLSA's. Chances are it isn't that huge a risk. Anyone in a server environment is likely to have a fast enough machine to do this, or another machine to compile on, then distribute.
_________________
Quis separabit? Quo animo?

[nitro322]

My view on this is that you're much more likely to NOT be hacked if you're running Gentoo. Think about it - the entire distribution is already source based, so when a new version of a program is released (most likely as source code), you'll be ready to update almost right away. Assuming Gentoo developers are on top of things (and they seem to be doing a great job of that), they'll have a new ebuild for the package a very short time after it's been fixed, and you can instantly upgrade. Pre-packaged distributions such as RedHat, on the other hand, often take quite a while to be updated. Even if the vulnerability is leaked and exploit code is made available before vendors have a chance to patch the problem, they'll still be slow to release an updated package because packaging and testing on multiple systems simply takes a lot longer than working directly with the source. My $.02, anyway.

[zerogeny]

is my apple more easily hacked than a lemon?
_________________
Searched the web for zerogeny.
Results 1 - 1 of 1. Search took 0.05 seconds

[IdBuRnS]

[dioxmat]

first, the binary package will usually come after the patch, so chances are you had the patch and compiled your fixed version beforce the binary package is actually released.
anyway, most hackers know before the patch is released that there is a vulnerability... and you could take a binary package while recompiling :) (or, just like rac pointed out, shut down the process)
_________________
mat

[fmalabre]

In term of package versions, Gentoo seems the most up to date I've never seen.

[Nitro]

I think that Gentoo would be the first Distro to give you the chance to upgrade. I've used LFS, Slack, RH, and MDK. Gentoo never gave me a chance to try Debian or SUSE, but I figure I'm not missing anything.

There are always Gentoo developers on IRC and all well up to date with vulnerabilities as they they are probably subscribed to an array of mailing lists, so, they talk, fix the ebuild, and commit it. At very most, you will have to wait half an hour to get an updated ebuild after it has been commited by CVS (Rsyncs mirrors update run every half an hour on the hour). And if you need it ASP, you can grab it off gentoo.org's CVS viewer. So, the inital solution is released faster, you could even edit the ebuild manually. A GLSA is released later after the vulnerability has recieved attention and the developers are positive they have the bug covered.

Now, you raised an interesting argument about compiling. As long as you are up to date as well, you can start compiling probably before the binary distro gets the RPM or whatever on the mirrors. On even a 2 year old machine @ say about 500MHz, would take at most 30 mins to compile something big such as MySQL.

I guess I don't have solid examples, but with my envolvement with Gentoo and my understanding of the community built around it, I would say a Gentoo box could be secured much sooner then a binary.

My 2 cents.
_________________
- Kyle Manna

Please, please SEARCH before posting.

There are three kinds of people in the world: those who can count, and those who can't.

[fmalabre]

I think you're absolutly right about the community around Gentoo...
This helps a lot having very recent packages.

However, this may not last forever. I already saw similar community which were first very active, and then moved on to something else (I'm thinking about Slackware).

[Nitro]

[sschlueter]

[zentek]

Yep gentoo is mostly one of the best distro.

Cutting edge ( chance to be vulnerable to old explots are quite null )
Active community and fast update
Secure by default ( openBSD can be jalous !!! )
Ill pay 50$ to the first guys to hack a default install of gentoo remotely !!

and on top of it gentoo is easy to manage

[delta407]

[fmalabre]

You forgot "remote" I believe...

[sschlueter]

[delta407]

[kirill]

Okay the sshd is running, the root passwd is empty...

[rajiv]

[rac]

[dioxmat]

[sschlueter]

[Nitro]

[n0n]

What I'd be more wary of, personally, and this is a problem with any system that downloads components automatically, is having one of the mirrors hacked or whatever, and then downloading corrupt md5s, etc, and then getting trojaned source packages. Obviously this kind of thing would also affect Debian users (apt-get), evidentally the BSDs (with their ports system), in addition to Gentoo. Granted, you'd probably have to be somewhat crafty to do it (will the user get the md5 and the source package from the same server?), but I suppose it could theoretically be done.

As to the actual question at hand, I doubt that would come in to play much.