also sprach Tucker Hermans <thermans@hot.rr.com> [2004.06.27.1724 +0200]: > I don't mean to sound like an ass, but if you have a mission-critical > server or any server with secret data on it shouldn't a firewall already > be in place for it? I mean it is naive to expect all software to not > have security issues sometimes. How does a firewall help? If the mission-critical server needs to provide HTTP access, the firewall will have port 80 open. If there is a root exploit in the HTTP server, it can either be disabled, or the firewall used to restrict access. Firewalls are okay tools in the right hands, but they can't do anything if the port needs to be open, can they? > Plus there is a good chance that someone who wishes to get the > information off of your server could have learned about the > exploit before it was reported to or by the debian security team. yeah, which is why i follow to proper channels to get at such information quickly. I just thought it would be helpful for all Debian users to get that information without the extra hassle. > I think pretty much that the debian security team exists more for > making applications secure not for keeping your system secure, if > that makes sense. Pretty much the security team is doing > a different job then you expect them to. I am the one keeping my system secure. But as the social contract says: "we don't hide from out users". Well, the security team is hiding every time it receives a bug report. I don't think the details need to be disclosed, but it should become public ASAP when a service is endangered. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature