Sam [mailto:[EMAIL PROTECTED]] wrote:
> If it's good enough for Microsoft, it's good enough for me. If I lifted
> the exact verbiage from their End User License Agreement (any actual
> product, pick your favorite), and used it instead, would that make you feel
> more comfortable?
>
> The problem with that is that both of them are completely identical, once
> you strip away the legalese in MS EULA.
Who cares where you got that verbiage?
> The real answer is that I wrote that paragraph about six months ago.
> Revising that paragraph is probably the last on my list of priorities.
Oh, so you _do_ wish to be personally stand behind and be personally liable for
your setuid-root code?
The only thing I'm saying is that it's inappropriate for you to get ticked off
that people don't want to use your code simply because it is setuid-root and at
the same time publicly call it "alpha" code. Some people are not going to trust
your code as a setuid-root CGI application... or any setuid-root CGI
application... get over it.
If you want your code to be trusted more, please use some other programming
methods which are generally more secure (i.e. your code does not have to be
_perfect_ to be secure) and responsible, instead of the setuid-root CGI app
which can very reasonably be considered a sloppy solution. An example of a
better solution would be having a front-end that runs without permissions, but
invokes a small backend that runs setuid-root through a well defined API will
full taint checks in the backend.
Perhaps your time would be better spent updating your web page and developing
your applications with better security models than picking on people saying
that if they don't trust your program they should remove the "su" from their
system.
<that's all> -- I'll not be posting on this thread anymore...
- David Harris
Principal Engineer, DRH Internet Services
