[GRLUG] FW: $849 - New IBM Thinkpad T61 Core 2 Duo Laptop 2.0GHz with DVD-R, WWAN, WiFi and Widescreen

Greg Folkert greg at gregfolkert.net
Wed May 14 12:37:21 EDT 2008


On Wed, 2008-05-14 at 12:25 -0400, Collin wrote:
> > Debian did not remove security features.  A bug "fix" inadvertently
> > introduced a *huge* security risk.  Keep in mind, though, that this
> > admittedly big security problem was discovered in the code itself and
> > not in a remote exploit.  Upgrading the necessary packages (that were
> > available almost immediately) and reissuing keys are all that is
> > necessary to avoid a remote exploit.  Granted, some may have a lot of
> > keys to issue, but it is an inconvenience more than anything else.
> >
> > [snip]
> >   
> Semantics... If you introduce something and call it a "bug fix" but it 
> really screws the security up then it wasn't really a bug fix, was it? 
> And if that bug fix removes a security feature then it was a removal of 
> a security feature, not a bug fix. Call things what they are not what it 
> was wished it would be.
> 
> I will, however, grant you that I'm sure that they did it on accident 
> and that the vast majority of the time they get it right. It just sounds 
> like they've got to be more careful in the future.

Which is EXACTLY the response they have provided.

        It was a mistake, let's fix it, move on and be more careful
        about these things.

RedHat, Novell, Gentoo, Debian, Ubuntu... even FreeBSD (big time in
ports) all do these things in large scale amounts.

There were times in RedHat's history that they were the single largest
"fixer" of bugs that introduced many other bugs or security problems.

Its a good thing everyone didn't say "Should we even continue to use
them as they broke something"... some of the exploits they introduced...
some of them were so trivial to do that the ONLY thing safe was to
unplug the network connection.

What about the fact the OpenBSD now has *TWO* exploits that happened in
the default install at one time or another... should we drop that
particular OS for it BRAZEN security problems?

Come on... THINK.
-- 
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20080514/6fce362d/attachment.pgp 


More information about the grlug mailing list