On Sun, Jun 27, 2004 at 01:43:45PM +0200, martin f krafft wrote: > also sprach Horst Pflugstaedt <[EMAIL PROTECTED]> [2004.06.26.2155 +0200]: > > what would be the alternative? > > The security team would have to annonce "there's a possible security > > flaw in package XY, we're on it, but it may take some more days to fix > > it" > > > > What's the worth of such announcements? Users (You'd) know about a bug, but > > still could not do anything about it. After all, I'd strongly object > > to my web-host/ISP/Sys-Admin/... switching off > > apache/php/ssh/name-whatever-tool-you-really-need because they have heard of > > an yet unfixed security-problem. > > That's a thing of your webhoster. But if I knew of e.g. a root > exploit in the HTTP part of a mission-critical server containing > secret data, i want to turn it off, or take additional security > precautions, like a firewall layer etc.
If you can do so... you cannot switch off mission-critical services. (I'd love to see amazon/google/whoever switch off the webserver). Firewalling only helps, if you find a way to differentiate 'good' from 'bad' packets to your service. What if IPTables had a security flaw? I expect you are doing as much as you can to secure your system. The rest is hoping, that's enough. > > not knowing about it doesn't mean that the "bad guys" don't know > about. and if the bad guys found out before you, they wouldn't tell. I don't know the translation for the german saying... "waking up a sleeping dog". what else would a public announcement do? A no-delay-announcement of security issues would be a more dangerous threat to sites running that software than a policy of first developing a patch and thenn offering an instant solution. Not everybody has the capabilities to react in an appropriate way to a known but unfixed sec-issue. kind regards Horst last post for me. I'm no member of the security-team, nor am i developer. I don't know the earlier discussions, but these would have been my points. i can understand the wish to be up-to-date on security-issues. -- #debian.de < stoffel_> was wurde aus sex & drugs & rock'n roll? < Lam_al_Adie> stoffel_: dieter bohlen, Harald juhnke und peter kraus? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
