Re: Mozilla security problems in stable
On Friday 01 November 2002 13:44, Wouter Verhelst wrote to
debian-private@lists.debian.org:
> On Thu, Oct 31, 2002 at 10:27:40PM +0100, Yven Leist wrote:
> > I could not think of anyone who would not benefit from mozilla 1.0.1
> > getting into stable. I'm sure the chance that our users are hit by one of
> > these 130 stability and dataloss bugs is far greater than the chance that
> > they are hit by some currently undiscovered bug, introduced with the
> > changes between 1.0.0 and 1.0.1.
> >
> > The most important thing to keep in mind here IMHO, is that mozilla is
> > not in any way mission-critical, therefore I'd even regard it as some
> > sort of no-brainer as far as woody is concerned.
>
> How the hell can you know that?
>
> Consider a situation where someone working on an intranet-site tries to
> break into the servers by breaking someone's root password through a
> webpage.
>
> Consider a webkiosk, the owner of which does not want to reinstall his
> system every week or so.
He has to do that anyway, due to the fact that at least the security fixes
will be backported, so I do not really see the point here.
> Consider a single server where people log in to using X terminals (yeah,
> such a setup still exists) and where the admin likely wants to have
> local applications to be as bug-free (security-wise, that is) as
> possible.
Sure. But the thing is that if I was the admin of that server, I'd put
greater trust in the mozilla developers not introducing any new security bugs
while fixing the old ones, than in the Debian developers really getting all
these security fixes properly backported, simply because mozilla is such a
huge project and naturally the mozilla developers know their code better than
anyone else. And for me that does _not_ translate into "I always blindly
trust upstream" or "the security team is superfluous because they can't get
backports right"...
> > (Please note, that I'd not say the same thing about _really_ critical
> > parts of the system, I'm absolutely aware of the dangers involved there,
>
> Sure. Still, there's no reason to divide between 'mission-critical'
> stuff and stuff that isn't. In a situation where central authentication
> is set up using LDAP, the Kerberos packages on J. Random R&D-hacker's
> personal system are not mission critical, while the LDAP-server sure is.
>
> Whether or not something is 'mission-critical' depends on the 'mission'
> it needs to serve. And that is something that Debian cannot even try to
> define; therefore, all packages need to go by the same standards.
Well, I think Debian really should try to define this, simply by applying
common sense: a data corruption bug in the gimp is not as bad as one in
e2fsprogs...
Cheers,
Yven
--
Yven Johannes Leist - leist@beldesign.de
http://www.leist.beldesign.de
Reply to: