Date: Tue, 21 Jul 1998 19:06:38 -0500 From: Jon Hamilton <hamilton@pobox.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <199807220004.RAA16588@hub.freebsd.org> In-Reply-To: Your message of "Tue, 21 Jul 1998 12:24:50 MDT." <199807211824.MAA14302@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199807211824.MAA14302@lariat.lariat.org>, Brett Glass wrote: } At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote: } } >The sky is falling! Where is that warranty? Oh, that's right, there isn't } >one. The people who are responsible for keeping those machines safe are } >just going to have to be responsible for keeping them safe, I guess. } } And every one of them will respond instantly to every security advisory, } so no crackers will ever get in. Nice fantasy. I have made no such claim. } >True, but how often do we see problems where "-current won't compile" or } >where patches went in which were unchecked or otherwise caused problems? } >You're talking about a volunteer effort, and I just don't see you getting } >the kind of rigor out of it that you'd need for something like you're } >suggesting. This is not meant to denigrate the effort any of the } >maintainers put in - I am arguing that it's not reasonable to expect such } >a level of effort from them, and if not them, then who? } } A security team formed for that purpose. A group of people who DO hang on } ever Bugtraq message (if not individually, then collectively). As for } "-current won't compile" problems -- they're unlikely to occur because } the patches will likely be to small bits of the OS. You're being casually dismissive of a real issue again. Surely you aren't going to try to keep a straight face while suggesting that it's rare to see a quick bug fix for an exploit that either causes more problems than it solves, or doesn't address the problem it's meant to fix? Where do you propose to find these people, and what makes you think they're going to perform this task for you for low or no cost? I hope you manage to institute something and make it work; it'd be a good thing. I don't see it happening within the parameters you've laid out, though, and given your frequent use of the third person, I doubt very much that you will put much effort into making anything happen, other than complaining that nobody has already done it for you. } >Wave your hands some more. Are you _really_ sure that you trust your } >local copy of pgp (or whatever other method you want to use)? } } As much as I trust CVSupping to close a hole. And, yes, I do place a high } level of trust in strong crypto. As must all of us. All the world doesn't look like your installation, and solutions that work just fine and make good sense for your installation may simply not fit elsewhere. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807220004.RAA16588>