From owner-freebsd-security  Tue Jul 21 18:23:36 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA01377
          for freebsd-security-outgoing; Tue, 21 Jul 1998 18:23:36 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA01362
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 18:23:29 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id TAA21937;
	Tue, 21 Jul 1998 19:23:04 -0600 (MDT)
Message-Id: <199807220123.TAA21937@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Tue, 21 Jul 1998 19:23:01 -0600
To: Jon Hamilton <hamilton@pobox.com>
From: Brett Glass <brett@lariat.org>
Subject: Making it work (Was: Why is there no info on the QPOPPER hack?)
Cc: security@FreeBSD.ORG
In-Reply-To: <199807220004.SAA20560@lariat.lariat.org>
References: <Your message of "Tue, 21 Jul 1998 12:24:50 MDT."             <199807211824.MAA14302@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 07:06 PM 7/21/98 -0500, Jon Hamilton wrote:
 
>You're being casually dismissive of a real issue again.  Surely you
>aren't going to try to keep a straight face while suggesting that 
>it's rare to see a quick bug fix for an exploit that either causes
>more problems than it solves, or doesn't address the problem it's meant
>to fix?  

This is usually because the patch is created in a hurry by one individual
without adequate review. That's where the notion of a team comes in.

>Where do you propose to find these people, and what makes you
>think they're going to perform this task for you for low or no cost?

Self-interest. These will likely be the same people who are motivated
to close holes in their own systems fast, and will appreciate the
chance to work with a team rather than fending entirely for themselves.

>All the world doesn't look like your installation, and solutions that
>work just fine and make good sense for your installation may simply
>not fit elsewhere.  

I think if one limits the scope of solutions to patched versions of
existing programs, it becomes feasible to allow an automatic update.

Nothing's foolproof, of course. For example, if a DoS attack came before
the patch arrived, it might not get installed. But the odds are good that
it would help.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message