From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 03:46:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6635737B401 for ; Thu, 27 Mar 2003 03:46:18 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6E8443F85 for ; Thu, 27 Mar 2003 03:46:17 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 256C72E; Thu, 27 Mar 2003 05:46:17 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 060FE78C43; Thu, 27 Mar 2003 05:46:16 -0600 (CST) Date: Thu, 27 Mar 2003 05:46:16 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030327114616.GE98283@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , Bruce Evans , security at FreeBSD References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> <20030326234503.A21679@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030326234503.A21679@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-32.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 11:46:20 -0000 On Wed, Mar 26, 2003 at 11:45:04PM -0600, D J Hawkey Jr wrote: > OK, I now have to take this a little off-topic, and ask the following: > > Given that it's improbable, if not nearly impossible, to discover what > statically-linked binaries may be involved with any vulnerability, isn't > it reasonable to ask if the benefits of statically-linked binaries aren't > outweighed by the [security] drawbacks? > > Granted, a "no static binaries" policy wouldn't cover things outside of > any given distribution, but at that point, the vendor is absolved. IMHO making security updates for a completely-dynamically-linked system would be easier. However, it's not a panacea and there are reasons one might still want static binaries. This is not a given: > Given that it's improbable, if not nearly impossible, to discover > what statically-linked binaries may be involved with any > vulnerability, The way to determine it is to run `make release' without the fix, then `make release' with the fix, and intelligently compare the results. It is hard, not `nearly impossible'. > Should this move on over to freebsd-hackers@ ? I think it should stop here :-) We don't need another static-vs-dynamic thread right now (e.g. yet another one finally finished on freebsd-arch yesterday). Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se