Re: ssh vulernability
On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote:
> I run Debian; and I applied the OpenSSH patch myself as soon as it was posted.
> Does anybody know of the advantages of waiting for a new .deb file to get
> circulated are?
It's easier, esp. if you don't already have source for the latest version.
> The patch was a change to two lines of code; so I just made
> the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches;
> seems a bit odd to wait around for the distribution's official
> patch-maker-squad to churn out a new .DEB file.
A lot of people are lazy, and will wait for a .deb in the archive. This is
a sensible response, because the vulnerability is not severe. As long as
they don't have your keys, they still can't get in.
I had a physics prof who always told us that we should be lazy. He meant
that we figure out how to solve the problem with simple equations, instead
of creating a monster, or a whole lot of equations. (this was quantum
mechanics, so it's pretty easy to get screwed if you head off into the
wilderness crunching equations.) This principle applies to being a sysadmin.
Just as you automate everything you can, in the name of laziness, you can
wait until stuff falls into your lap instead of going out and fixing it
yourself, if the problem is not at all likely to lead to any real problems
for your system.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(firstname.lastname@example.org. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE