[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Security reports in bugzilla?

From: Franck Martin <franck sopac org>
To: gnome-2-0-list gnome org, gnome-devel-list gnome org
Subject: Re: Security reports in bugzilla?
Date: 22 Dec 2001 14:37:43 +0000

Well,

this is the whole question of Open source software vs closed software. I think that the stand at the moment can be summarised like this:

The Free Software Foundation is for total disclosure as soon as possible.
Microsoft is for total secrety until the patch is released.

There are arguments on both sides of the story, and a search on the Internet will give you all the arguments of both camps. However GNU , I think, is for total disclosure as early as possible, so as the G in GNOME means GNU then the path is easy to follow.

Please note, that to discover there is a problem doesn't mean you have to publish an exploit too. Many of the security issues are potential vulnerabilities, which means they don't have an exploit yet and have time to be fixed and included in the next stable release and distributed. The bugtraq people could ensure that exploit code is removed from bugzilla.

Anyhow, exploit codes are plentifull on the internet...

Check the recent glibc fix and the rumour about an ssh exploit not publicly known.

look:
www.linuxtoday.com
www.incidents.org
www.securityfocus.org

I think the worst part is people not adminiting that their soft is vulnerable or may not be perfect. They put the industry at risk.

For instance www.phpnuke.org is a great software, but the last post on security is from september 2000. There is a message every week on bugtraq (www.securityfocus.org) about a cross scripting issue....

Cheers
Franck sopac org

On Fri, 2001-12-21 at 17:43, Gregory Leblanc wrote:

Well, I don't particularly like it either, but depending on the severity
of the security issue, I can see it being "desirable".  If it's an issue
that is fairly easy-to-exploit, having it open to the public is a Bad
Thing, since Joe Black Hat Cracker can browse our bug system, and start
exploiting bugs that exist in some large portion of our user base.  Even
after we make a fix available, it could be quite some time before users
manage to upgrade to a version that isn't vulnerable.  I'm really quite
torn on which way things like this should go for the GNOME project.
	Greg

-- 
Portland, Oregon, USA.

_______________________________________________

Follow-Ups:
- Re: Security reports in bugzilla?
  - From: Seth Nickell

References:
- libgnomeprint status/usage
  - From: Lauris Kaplinski
- Security reports in bugzilla?
  - From: Franck Martin
- Re: Security reports in bugzilla?
  - From: Telsa Gwynne
- Re: Security reports in bugzilla?
  - From: Ross Golder
- Re: Security reports in bugzilla?
  - From: Gregory Leblanc

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]