Re: libsafe and Debian installation

To: Jeroen Dekkers <jeroen@dekkers.cx>
Cc: debian-devel@lists.debian.org
Subject: Re: libsafe and Debian installation
From: Shaya Potter <spotter@cs.columbia.edu>
Date: 22 Apr 2002 17:31:40 -0400
Message-id: <[🔎] 1019511102.6584.98.camel@zaphod>
In-reply-to: <[🔎] 20020422212040.GA563@celeron.dekkers>
References: <[🔎] 1019493175.5148.13.camel@zaphod> <[🔎] 20020422174644.A30997@doc.ic.ac.uk> <[🔎] 1019494894.5148.28.camel@zaphod> <[🔎] 20020422172327.GA11844@x8b4e50c5.dhcp.okstate.edu> <[🔎] 1019497040.5148.43.camel@zaphod> <[🔎] 20020422174856.GA12094@x8b4e50c5.dhcp.okstate.edu> <[🔎] 1019498582.5147.50.camel@zaphod> <[🔎] 20020422212040.GA563@celeron.dekkers>

I assume you means it's the wrong way to increase security.  I disagree
with you.  libsafe and good code are 100% orthogonal issues.  good code
is the security blanket, libsafe is the safety net.  One should never
say "libsafe will catch it" as libsafe isn't perfect, but it provided a
safety net to those who either get hit before they can patch, or
actually get hit by the actual new attack.

Lets say one is an administrator of his own machine on a cable modem. 
Lets say that person is in the middle of finals, or ends up in the
hospital and is unable to update his machine. Something like libsafe can
provide a real boost in security.  

How many machines are hacked on a daily basis that libsafe could have
protected against (and in fact warn the administrator of the machine
that they have an insecure application).  Any system administrator who
relies on libsafe alone to provide him protection, is a not so
intelligent system administrator, but any system administrator who
doesn't consider the pros (as well as the cons) of using libsafe is also
not doing his job.  If the cons are too great for someone, i can accept
that they wont use it.  But to say that there's a security reason not to
use it, to me seems like a very weak argument.

shaya

On Mon, 2002-04-22 at 17:20, Jeroen Dekkers wrote:
> On Mon, Apr 22, 2002 at 02:03:00PM -0400, Shaya Potter wrote:
> > why are you so anti libsafe? 
> 
> Because it's the wrong to increase security. You should increase
> security by learning how to code, not by using a library to provide
> workarounds for your mistakes. If you provide such a library,
> people get lazy and just think "libsafe will catch it". We should fix
> buffer overflows, not provide workarounds for it.
> 
> Jeroen Dekkers 
> -- 
> Jabber supporter - http://www.jabber.org Jabber ID: jdekkers@jabber.org
> Debian GNU supporter - http://www.debian.org http://www.gnu.org
> IRC: jeroen@openprojects

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: libsafe and Debian installation
  - From: Jeroen Dekkers <jeroen@dekkers.cx>

References:
- libsafe and Debian installation
  - From: Shaya Potter <spotter@cs.columbia.edu>
- Re: libsafe and Debian installation
  - From: Andrew Suffield <asuffield@debian.org>
- Re: libsafe and Debian installation
  - From: Shaya Potter <spotter@cs.columbia.edu>
- Re: libsafe and Debian installation
  - From: David Starner <starner@okstate.edu>
- Re: libsafe and Debian installation
  - From: Shaya Potter <spotter@cs.columbia.edu>
- Re: libsafe and Debian installation
  - From: David Starner <starner@okstate.edu>
- Re: libsafe and Debian installation
  - From: Shaya Potter <spotter@cs.columbia.edu>
- Re: libsafe and Debian installation
  - From: Jeroen Dekkers <jeroen@dekkers.cx>

Prev by Date: Re: libsafe and Debian installation
Next by Date: Re: libsafe and Debian installation
Previous by thread: Re: libsafe and Debian installation
Next by thread: Re: libsafe and Debian installation
Index(es):
- Date
- Thread