Re: Nomination question: Redhat
Joseph Carter <knghtbrd@debian.org> writes:
> On Sun, Dec 13, 1998 at 03:03:39PM -0500, Michael Stone wrote:
> > > This is the worst possible kind of FUD. Yes, Redhat did have some
> > > programs inadvertently SUID, but then have you even bothered to check
> > > how many SUID binaries we have and how valid their SUIDness is? It's
> > > not a pretty sight. You also failed magnificently to remember the
> > > recent fte fiasco, which was far worse than anything Redhat have
> > > done[1].
> >
> > But IIRC, the fte thing wasn't in a release version, was it? If you're
> > running a pre-release, you take what you get. OTOH, it's a good example
> > of why an open development model is a Good Thing: it got caught _before_
> > we sent it out on thousands of cd's.
>
> Something that didn't happen with Redhat (which was my whole point in the
> first place)
No it didn't happen with Redhat because Redhat weren't lame enough to
make an editor SUID; their SUID programs were only _potentially_
exploitable through buffer overruns and the like.
And as Ben pointed out, fte was only caught by complete happenstance,
it _very_ easily could have gone into slink.
--
James
Reply to: