[ On Friday, August 11, 2000 at 18:56:28 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory
>
> I need the contributions of the Windows/Mac developers that I might
> lose by staying with SSH far more than I need to avoid any chance of
> a breakin, or be able to prove exactly who did it if it happens.
All of this is very fine and good, and irrelevant.....
> I have been very forthright about the risks. I've pointed out to people
> who didn't understand exactly how and why pserver was weak. The fact that
> I went on to say that I could live with that weakness does not in any way
> mean I've given anyone a false sense of security.
You have claimed that your patch to add chroot() to cvspserver enhances
the security of cvspserver. I and others have shown that it does
nothing of the sort and may in fact present new and possibly serious
risks that make a remote root exploit slightly more possible.
> Anyway, this has gone on long enough. I don't mind continuing this in
> private email, but I doubt people on this list are going to benefit from
> this being conducted in public any longer.
So long as you will agree not to publicly promote your unnecessary
chroot() patch with false claims I will promise not to worry about the
risks you may or may not be bringing upon yourself.....
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
