Mihai Popescu <[email protected]> wrote: > > It is an old less-secure practice ... > > I use to think about security as secure / insecure (not secure). Is it ok > to use grades like less secure, more secure, etc.?
Let me provide a better answer. When you use fewer simple ingredients, you can judge the interactions between the the simple components better, and have a more clear understanding that you have achieved your objectives... and not have a pile of curious latent behaviours as well. The crucial behaviour we call "security" really just means the software performs the intended goal only, and cannot be convinced to perform additional unintended behaviours. People are putting random things into chroot, hoping that it works fine. Now people are going to say, surely ksh is not complicated. It needs nothing. If my environment works once in test for my specific test case, it will work the other million times without flaw. I believe that is incompetent delusion. If you don't know precisely what you putting into the mixing bowl and why you shouldn't be making a cake, get a job in sales or something and save us all the grief. Or go ahead, use a bunch of draino and some matchheads, but don't share it.
