Date: Tue, 21 Jul 1998 19:23:01 -0600 From: Brett Glass <brett@lariat.org> To: Jon Hamilton <hamilton@pobox.com> Cc: security@FreeBSD.ORG Subject: Making it work (Was: Why is there no info on the QPOPPER hack?) Message-ID: <199807220123.TAA21937@lariat.lariat.org> In-Reply-To: <199807220004.SAA20560@lariat.lariat.org> References: <Your message of "Tue, 21 Jul 1998 12:24:50 MDT." <199807211824.MAA14302@lariat.lariat.org>
index | next in thread | previous in thread | raw e-mail
At 07:06 PM 7/21/98 -0500, Jon Hamilton wrote: >You're being casually dismissive of a real issue again. Surely you >aren't going to try to keep a straight face while suggesting that >it's rare to see a quick bug fix for an exploit that either causes >more problems than it solves, or doesn't address the problem it's meant >to fix? This is usually because the patch is created in a hurry by one individual without adequate review. That's where the notion of a team comes in. >Where do you propose to find these people, and what makes you >think they're going to perform this task for you for low or no cost? Self-interest. These will likely be the same people who are motivated to close holes in their own systems fast, and will appreciate the chance to work with a team rather than fending entirely for themselves. >All the world doesn't look like your installation, and solutions that >work just fine and make good sense for your installation may simply >not fit elsewhere. I think if one limits the scope of solutions to patched versions of existing programs, it becomes feasible to allow an automatic update. Nothing's foolproof, of course. For example, if a DoS attack came before the patch arrived, it might not get installed. But the odds are good that it would help. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807220123.TAA21937>