Re: Nomination question: Redhat
On Sun, Dec 13, 1998 at 03:18:05AM +0000, James Troup wrote:
> > I don't use it however. Two releases in a row they have released
> > programs suid root which should NOT be suid root. This shows their
> > development strategy is build it first and fast, then secure it.
> > This is bad and I can't safely rely on that sort of development to
> > be secure.
>
> This is the worst possible kind of FUD. Yes, Redhat did have some
> programs inadvertently SUID, but then have you even bothered to check
> how many SUID binaries we have and how valid their SUIDness is? It's
> not a pretty sight. You also failed magnificently to remember the
> recent fte fiasco, which was far worse than anything Redhat have
> done[1].
I am not aware of the problem with fte other than that I recall seeing
one and seeing a fix happen. The programs which were and should not have
been suid included system config utilities on at least two occasions
which is half of them that I know of (I know of 4 individual instances)
I didn't fail magnificantly to remember our security bugs. I remembered
that within a week of release of two seperate releases in a row, Redhat
was patching the releases with critical security problems to programs
that were shipped suid and should not have been.
> In general Redhat respond faster than us to most security incidents
> and Redhat have Alan Cox auditing code. We don't.
Dear me! What ever are we going to do without a kernel hacker? I think
we're doing okay actually. You may be right about Redhat's time to
respond, but I have seen almost instant response frequently, especially
to remote exploit bugs. I usually see a response from Redhat not too
long after which generally means I am seeing a delay for the announcement
to spread.
--
"You're despicable." -- Daffy Duck
Reply to: