Re: Bad press again...

[Florian Weimer <fw@deneb.enyo.de>]

* Steve Wray:

>>>I view this as a security problem because what if you *think* you've
>>>made changes to your firewall and are now protected only... you arn't
>>>and the firewall hasn't been updated?
>>>
>>>Is that enough of a security problem for the fix to get into stable?
>> 
>> 
>> The underlying problem seems to be that fwbuilder does not provide
>> means to test a configuration after it has been applied to the system.
>> Such tests would catch a more general class of problems, and not just
>> some isolated file system problem.
>
> Not quite.
>
> When the fwbuilder application tries to write to the file, it fails.
> This exception doesn't appear to be handled by anything at all and hence
> the silent failure to write to the file.
>
> The issue of actually testing firewall configurations is a whole 'nother
> problem.

But you agree that automated tests of the configuration, after it has
been written and applied, would detect such a problem (if there are
proper test cases, of course)?

I'm NOT saying that the bug shouldn't be fixed.  What I want to say
that the mere occurrence of such a bug is a symptom of a larger
problem in the software.  If we start labeling such symptoms as
security bugs, we can probably issue five DSAs a week for ordinary
bugs in software which is somewhat security-related.  ("GnuPG crashes,
and users might skip verification of a signature on an important
document, putting them at risk" -- is this really a security bug?)