Re: [POSSIBLE GRAVE SECURITY HOLD]
- To: John Goerzen <jgoerzen@complete.org>
- Cc: Samuel Tardieu <sam@debian.org>, Adam Di Carlo <adam@onshore.com>, "Huneycutt, Doug" <doug.huneycutt@lmco.com>, 56821@bugs.debian.org, pb@enst.fr, quinot@enst.fr, debian-devel@lists.debian.org
- Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
- From: Pierre Beyssac <beyssac@enst.fr>
- Date: Wed, 2 Feb 2000 18:49:44 +0100
- Message-id: <20000202184944.K50448@enst.fr>
- In-reply-to: <87n1pjy0qs.fsf@erwin.complete.org>; from John Goerzen on Wed, Feb 02, 2000 at 11:26:19AM -0600
- References: <2000-02-02-11-38-12+trackit+sam@debian.org> <87vh47k3v1.fsf@erwin.complete.org> <20000202175255.E50448@enst.fr> <873drby1na.fsf@erwin.complete.org> <20000202181855.H50448@enst.fr> <87n1pjy0qs.fsf@erwin.complete.org>
On Wed, Feb 02, 2000 at 11:26:19AM -0600, John Goerzen wrote:
> > I'd like to know what your answer to the following questions is:
> >
> > - what is the purpose, in terms of system usability, of
> > this MBR, other than bypassing BIOS and Lilo controls,
> > which hardly qualifies by my book?
>
> Uhmm, is this not inherently obvious? If you don't want LILO in the
> MBR, then you have to have SOMETHING there to boot the box. Not
> everyone had DOS on the machine previously.
I think you understood my question perfectly, because I tend to
assume that since you make fun of other peoples typos you must
certainly read English quite correctly. I was talking about _THIS_
MBR, not A MBR.
Let me restate: what purpose, in terms of system usability, do the
keyboard-controlled floppy (or any other partition) boot functions
of _this_ MBR serve, that the BIOS or Lilo cannot accomplish?
I obviously agree that you need a MBR. Why, of all the MBRs in the
world, is this dangerous MBR installed instead of Lilo's MBR or
any other secure MBR?
> > NOT EXPLICITLY DOCUMENTING that behaviour in the install
> > process?
>
> It is documented. As I already acknowledged, perhaps a help button in
> dinstall would be usefull, but let's stop this over-reaction and
Not a help button. A PROMINENT warning, and preferably another
choice by default.
> > - what is the purpose, in terms of system usability, of
> > not issuing an advisory to warn vulnerable sites?
> Of what?
Fact: there are many systems vulnerable due to this bug. Why no
official advisory? Does it improve system usability? Or maybe
does it just improve _perceived_ system usability?
--
Pierre Beyssac pb@enst.fr
Reply to: