Date: Sat, 30 Sep 2000 19:22:31 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Warner Losh <imp@village.org> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Adam Laurie <adam@algroup.co.uk>, security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200010010223.e912NT203428@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 30 Sep 2000 15:33:41 MDT." <200009302133.PAA13677@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200009302133.PAA13677@harmony.village.org>, Warner Losh writes: > In message <200009301404.e8UE4xU64460@cwsys.cwsent.com> Cy Schubert - ITSD Op > en Systems Group writes: > : miserably. My first impression when this happened was that I had a > : sense that we had a double standard. > > The programs that you wanted to remove also implemented a secure > protocol with Kerberos. That's why they weren't removed. They are > also 1000 times more widely used than even Pine is. It would take > some intellegent hacking to make it so that they would only use the > secure protocol, or that you had to explicitly request the insecure > one. No one has done this hacking yet. If they were less useful, > less widely deployed, then maybe we could get away with deleting them > completely. Sadly, they aren't, so we can't. I stand corrected. > > PINE, on the other hand, is just a mail agent. It should be flagged > as being dangerous and people need to jump through hoops to install > it. And, not everybody uses PINE. I use exmh, Jordan uses MH-E, the people I work with use ELM, and I've noticed others use mutt. In that respect it is just another mail agent that is used by some but not all of the people. So the impact of a decision to flag PINE as insecure affects some but not all of the poeple. When an MUA has been flagged with a security problem which cannot easily be fixed, e.g. the MH buffer overruns discussed on BUGTRAQ a year ago, I for one had to make a choice. Do I continue to use MH or do I switch. I switched to nmh. I think that PINE users are in the same predicament as I was a year ago until someone or they either fix their application, they switch to another, or they assess the risk as being low. > > Finally, we did kill setuidperl a while back, did we not? I noticed that. I have to admit that I've been out of sorts since May. If anyone requires an apology from me being a jerk on these lists, I apologise. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010223.e912NT203428>