From owner-freebsd-security  Mon Jul 20 16:08:39 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA08656
          for freebsd-security-outgoing; Mon, 20 Jul 1998 16:08:39 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08638
          for <security@FreeBSD.ORG>; Mon, 20 Jul 1998 16:08:35 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id RAA26536;
	Mon, 20 Jul 1998 17:08:11 -0600 (MDT)
Message-Id: <199807202308.RAA26536@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Mon, 20 Jul 1998 17:08:05 -0600
To: patl@phoenix.volant.org
From: Brett Glass <brett@lariat.org>
Subject: Re: Automatic updates  Was: Why is there no info on the
  QPOPPER hack?
Cc: security@FreeBSD.ORG
In-Reply-To: <ML-3.3.900961487.7363.patl@asimov>
References: <199807201740.LAA20525@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It need not be a hole, so long as it is cryptographically secure. One could
even
configure it so that it takes several long keys held by different parties to 
activate. I can envision a very safe trust infrastructure for this, with
far less probability of intrusion than via the code it replaced.

Microsoft is getting flack about their mechanism because it is involuntary
and gathers data on users surreptitiously. Third party mechanisms, such
as Symantec's automatic update and Cybermedia's Oil Change, are well
accepted.

--Brett


At 12:04 PM 7/20/98 -0700, patl@phoenix.volant.org wrote:
 
>> At 11:28 AM 7/20/98 -0500, you wrote:
>>  
>> >You don't expect all of your software to automaticly upgrade for you, do
>> >you? 
>> 
>> That's a darn good idea. Several Windows apps do this already. Why not
>> the FreeBSD ports?
>
>You obviously haven't seen any of the flack Micro$oft is getting
>about this 'feature'.  Most third parties are recommending turning
>it off.  (The biggest problem seems to be that it doesn't track
>enough of the system config info to make sure the updated version
>is actually compatible with the rest of the system.)
>
>
>Also, can you say 'major security hole'?   Sure you can.
>
>
>
>-Pat
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message