Date: Mon, 20 Jul 1998 17:52:20 -0600 From: Brett Glass <brett@lariat.org> To: "Matthew N. Dodd" <winter@jurai.net> Cc: "Christopher G. Petrilli" <petrilli@dworkin.amber.org>, "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <199807202352.RAA27271@lariat.lariat.org> In-Reply-To: <Pine.BSF.3.96.980720173840.10970g-100000@sasami.jurai.net> References: <199807201828.MAA21514@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thousands (maybe tens or hundreds of thousands) of systems have been potentially compromised because that code was in the FreeBSD Ports library. I'd find it hard to believe that such a scheme would do anything but improve the odds that the hole would be closed. And, no, CVSup is not an answer. On production machines, you don't want to CVSup to the latest version -- you just want to pick up known good patches for significant problems. --Brett At 05:40 PM 7/20/98 -0400, Matthew N. Dodd wrote: > >This sort of thing tends to go over poorly at security audits and with >people who's heads are on the line when things break. > >I'm not willing to trust a 3rd party with that level of control of my >system. > >Nobody should be that trusting. > >Just think of what would happen if the update process was compromised. > >On Mon, 20 Jul 1998, Brett Glass wrote: >> I'd go further. I'd be willing to allow an INSTANT automatic upgrade >> if the FreeBSD Security Manager sent a message, digitally signed with >> a nice, long key, saying that a serious exploit might be imminent. It'd >> be worth the risk. In the case of the QPopper hole, it would have been >> the Right Thing. >> >> The feature would, of course, be optional. Not everyone would turn it on, >> but *I* would. > > > >/* > Matthew N. Dodd | A memory retaining a love you had for life > winter@jurai.net | As cruel as it seems nothing ever seems to > http://www.jurai.net/~winter | go right - FLA M 3.1:53 >*/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807202352.RAA27271>