[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian two-factor auth, GSoC?

> > > Please take your FUD elsewhere.
> > > 
> > > It's an implementation of the JavaCard specification.  It's not
> > > something that runs in your web browser, but they're both called
> > > applets.  
> > 
> > Does it require a JRE to be installed (which the security community
> > avoids for good reason), if so then it does reduce your server/machine
> > security, though you may deem it acceptable and obviously not to the
> > same level as java browser applets which are basically putting up a
> > rental sign to any site you visit.   
> Debian is not Windows.  We have separate packages for the JRE and the
> browser plugin.

What has Windows got to do with anything?!?! I am saying that just
because something is less than terrible security wise, that doesn't stop
it from reducing a machines security, some such as JRE even without
plugins reduce security or increase attack and escalation vectors more
than others.

Obviously it is a balance of options and risk analysis. I'm just saying
anything that requires a JRE would push it down my list if there are any
choices and so not FUD as such but rather something that may be deemed
as acceptable.

Personally I wouldn't run a JAR on any server for example.


'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

Reply to: