I think Universities should rethink their Software Development courses... Valdis has got a very strong point. Here's my own. I got Safari to test websites I develop. Apple seems to think that during a recommended/critical Safari update, I should be installing iTunes. Oh, and surprise, with iTunes you get a couple of Apple Sync'ing services, not to mention some hidden server. It isn't *just* Apple, it's Linux, Microsoft and just about any other company. Microsoft forces you to get Desktop search (and turn on the indexing service, which has its own set of exploits and slows the computer down *a lot*).
Regards, Chris. On Fri, Apr 9, 2010 at 4:12 PM, <valdis.kletni...@vt.edu> wrote: > On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said: > > > And where's the point in reporting several projects that use a -say- > > library which has a reported problem? (I mean, you've send quite the > > same mail with a different software to bugtraq, today.) > > A few years ago, a rather nasty vulnerability was found in the zlib > compression library. We then saw a whole raft of advisories for things > that included the zlib libraries, because often the package shipped with > a private copy of zlib so patching the system zlib did *not* actually > fix the problem for the zlib-using package. > > And quite frankly, if it's a very low-level package, the average system > admin may not even *realize* that his very important MobyFoo package that > he remembers uses something called FooBar (or at least he remembers MobyFoo > wanting FooBar when he installed it 3 years ago), and the year after that, > FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was > installed on his box, and (b) has a security hole. > > You think I'm kidding? Even *after* some vigorous pruning, my Fedora > laptop > has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. > Lotta > software bloat going on, and most sysadmins don't have the combo of time > and > clue to fight it. For instance, it's a losing battle to keep Bluetooth > software off this laptop, even though it doesn't *have* Bluetooth hardware, > because more and more packages link in Bluetooth "in case you have it". > > And not one of those package developers understands the concept of a linker > "weak reference". Argh. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
