From owner-freebsd-security  Tue Jul 21 11:25:36 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA10154
          for freebsd-security-outgoing; Tue, 21 Jul 1998 11:25:36 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10146
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 11:25:33 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id MAA14302;
	Tue, 21 Jul 1998 12:24:53 -0600 (MDT)
Message-Id: <199807211824.MAA14302@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Tue, 21 Jul 1998 12:24:50 -0600
To: Jon Hamilton <hamilton@pobox.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Why is there no info on the QPOPPER hack? 
Cc: security@FreeBSD.ORG
In-Reply-To: <199807210332.VAA00941@lariat.lariat.org>
References: <Your message of "Mon, 20 Jul 1998 21:11:01 MDT."             <199807210311.VAA00475@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote:
 
>The sky is falling!  Where is that warranty?  Oh, that's right, there isn't
>one.  The people who are responsible for keeping those machines safe are
>just going to have to be responsible for keeping them safe, I guess.

And every one of them will respond instantly to every security advisory,
so no crackers will ever get in. Nice fantasy.

>True, but how often do we see problems where "-current won't compile" or
>where patches went in which were unchecked or otherwise caused problems?
>You're talking about a volunteer effort, and I just don't see you getting
>the kind of rigor out of it that you'd need for something like you're
>suggesting.  This is not meant to denigrate the effort any of the
>maintainers put in - I am arguing that it's not reasonable to expect such
>a level of effort from them, and if not them, then who?

A security team formed for that purpose. A group of people who DO hang on
ever Bugtraq message (if not individually, then collectively). As for 
"-current won't compile" problems -- they're unlikely to occur because
the patches will likely be to small bits of the OS.

>Wave your hands some more.  Are you _really_ sure that you trust your
>local copy of pgp (or whatever other method you want to use)?

As much as I trust CVSupping to close a hole. And, yes, I do place a high
level of trust in strong crypto. As must all of us.

--Brett Glass



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message