[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...

Florian Weimer wrote:
> * Steve Wray:
> 
> 
>>>>I view this as a security problem because what if you *think* you've
>>>>made changes to your firewall and are now protected only... you arn't
>>>>and the firewall hasn't been updated?
>>>>
>>>>Is that enough of a security problem for the fix to get into stable?
[snip]
>>When the fwbuilder application tries to write to the file, it fails.
>>This exception doesn't appear to be handled by anything at all and hence
>>the silent failure to write to the file.
>>
>>The issue of actually testing firewall configurations is a whole 'nother
>>problem.
> 
> 
> But you agree that automated tests of the configuration, after it has
> been written and applied, would detect such a problem (if there are
> proper test cases, of course)?

Regression testing of firewall rules would have to be the 'holy grail'
of the work we do here, where there are approximately one bazillion
firewalls to manage, with regular changes to production systems.

It'd need some serious AI programming though and probably some sort of
netfilter simulator. It shouldn't be too hard to implement in an
appropriate language. Prolog or one of the 'constraint programming'
languages perhaps. But this, while fascinating, is getting way off topic
:)

> I'm NOT saying that the bug shouldn't be fixed.  What I want to say
> that the mere occurrence of such a bug is a symptom of a larger
> problem in the software.  If we start labeling such symptoms as
> security bugs, we can probably issue five DSAs a week for ordinary
> bugs in software which is somewhat security-related.  ("GnuPG crashes,
> and users might skip verification of a signature on an important
> document, putting them at risk" -- is this really a security bug?)

This is very true and pretty well what I'm getting at. I don't believe
that there can be any hard and fast rules as to what counts as enough of
a bug to count as a security bug. Its down to people making decisions.

In the end, I imagine that a lot of production sites out there are
*having* to move to debian 'backports'. They certainly were for woody...

Now is *that* good for anyone concerned? I don't believe that it is; the
backport packages probably don't get anywhere near the QA that packages
that actually go into 'stable' get.

Sometimes I get the feeling that the end user must choose between
reliability and security which is, in truth, a total oxymoron.

I just get the feeling that things today move too fast to hold any
distribution to a very strict interpretation of 'stable'.
Reply to: