From owner-freebsd-security Mon Jul 20 11:34:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA18210 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:34:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (petrilli@dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA18188 for ; Mon, 20 Jul 1998 11:34:51 -0700 (PDT) (envelope-from petrilli@dworkin.amber.org) Received: from localhost (petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) with SMTP id OAA11063; Mon, 20 Jul 1998 14:34:17 -0400 (EDT) Date: Mon, 20 Jul 1998 14:34:17 -0400 (EDT) From: "Christopher G. Petrilli" To: Brett Glass cc: "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201828.MAA21514@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I'd go further. I'd be willing to allow an INSTANT automatic upgrade > if the FreeBSD Security Manager sent a message, digitally signed with > a nice, long key, saying that a serious exploit might be imminent. It'd > be worth the risk. In the case of the QPopper hole, it would have been > the Right Thing. > > The feature would, of course, be optional. Not everyone would turn it on, > but *I* would. Maybe after 2-3 independent external audits to verify that there are no exploits would I consider this, but considering the unlikely nature of this, I think there are better places to invest time and resources than to replace the administrator's brain. Chris > > > >> It might save your butt. > >> > >> But who said anything about "randomly?" The aforementioned Windows apps > >> do let you upgrade when you want to, and let you roll back. > > > >I think that the idea of "notification" of a new update is wonderful, > >however, installation should not be in anyt way "automatic", even if you > >say "sure upgrade my machine while I cross my fingers and hope that > >nothing 'unusual' happens." This however, is trvially accomplished > >through either a modification to the package mechanism (providing an > >extra utility), or simply having email lists. > > > >Chris > > > > > >> At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote: > >> > >> >On Mon, 20 Jul 1998, Brett Glass wrote: > >> > > >> >> At 11:28 AM 7/20/98 -0500, you wrote: > >> >> > >> >> >You don't expect all of your software to automaticly upgrade for you, > >> do you? > >> >> > >> >> That's a darn good idea. Several Windows apps do this already. Why not > >> >> the FreeBSD ports? > >> > > >> >Oh yes, I definately want my applications randomly upgrading themselves > >> >... this will fix all my security holes :-) > >> > > >> >Chris > >> >-- > >> >| Christopher Petrilli > >> >| petrilli@amber.org > >> > > >> > > > >-- > >| Christopher Petrilli > >| petrilli@amber.org > > > -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message