Re: Nomination question: Redhat

[Joseph Carter <knghtbrd@debian.org>]

On Sun, Dec 13, 1998 at 03:18:05AM +0000, James Troup wrote:
> > I don't use it however.  Two releases in a row they have released
> > programs suid root which should NOT be suid root.  This shows their
> > development strategy is build it first and fast, then secure it.
> > This is bad and I can't safely rely on that sort of development to
> > be secure.
> 
> This is the worst possible kind of FUD.  Yes, Redhat did have some
> programs inadvertently SUID, but then have you even bothered to check
> how many SUID binaries we have and how valid their SUIDness is?  It's
> not a pretty sight.  You also failed magnificently to remember the
> recent fte fiasco, which was far worse than anything Redhat have
> done[1].

I am not aware of the problem with fte other than that I recall seeing
one and seeing a fix happen.  The programs which were and should not have
been suid included system config utilities on at least two occasions
which is half of them that I know of (I know of 4 individual instances)

I didn't fail magnificantly to remember our security bugs.  I remembered
that within a week of release of two seperate releases in a row, Redhat
was patching the releases with critical security problems to programs
that were shipped suid and should not have been.


> In general Redhat respond faster than us to most security incidents
> and Redhat have Alan Cox auditing code.  We don't.

Dear me!  What ever are we going to do without a kernel hacker?  I think
we're doing okay actually.  You may be right about Redhat's time to
respond, but I have seen almost instant response frequently, especially
to remote exploit bugs.  I usually see a response from Redhat not too
long after which generally means I am seeing a delay for the announcement
to spread.

-- 
"You're despicable."  -- Daffy Duck