[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nomination question: Redhat

Joseph Carter <knghtbrd@debian.org> writes:

> I don't use it however.  Two releases in a row they have released
> programs suid root which should NOT be suid root.  This shows their
> development strategy is build it first and fast, then secure it.
> This is bad and I can't safely rely on that sort of development to
> be secure.

This is the worst possible kind of FUD.  Yes, Redhat did have some
programs inadvertently SUID, but then have you even bothered to check
how many SUID binaries we have and how valid their SUIDness is?  It's
not a pretty sight.  You also failed magnificently to remember the
recent fte fiasco, which was far worse than anything Redhat have
done[1].

In general Redhat respond faster than us to most security incidents
and Redhat have Alan Cox auditing code.  We don't.

> I hope they opt to develop with security in mind first in the
> future.

I hope we don't elect a leader who is so prone to gratuitously and
publicly flaming others whilst deliberately or otherwise ignoring
reality.  HTH & HAND

[1] TTBOMR, the two Redhat inadvertently SUID incidents were just
cases where the programs didn't need to be SUID but weren't blatantly
abusable (unlike our fte example) when run SUID, they simply hadn't
been audited and could have been suspect to exploits.

-- 
James
Reply to: