Re: Proposal: gnome-user-share

On Tue, 2004-11-30 at 22:52 -0500, Bryan Clark wrote:
> On Tue, 2004-11-30 at 22:25 -0500, Rodney Dawes wrote:
> > How secure is howl? It's not exactly a widely deployed piece of software
> > either. Yet, we still just shoved in and depended on it. And what about
> > neon? It's used by gnome-vfs now. I don't think security was one of the
> > primary claims to fame in either of the decisions to use them. Yet, we
> > do.
> Yes and you chose to use howl for epittance as well.  Each of these
> libraries were chosen as what the maintainer felt were the most secure
> methods of providing the correct functionality for GNOME.  If you felt
> there were more secure libraries or applications that should have been
> chosen instead of those that were you should have voiced your opinion at
> that time.  You still can try to change those things if you feel they
> are insecure and there is a better alternative out there, but crying
> wolf at every library doesn't do any good.

I'm not crying wolf. I'm crying favortism. There's a difference. We
already include libsoup in the desktop. Arguing about its security at
this point is silly, unless you're going to point out holes and get
them fixed. We've already got about 8. That seems pretty gratuitous.
I did voice my opinion at the time that the decision was being made,
but it didn't matter. Not that any of the discussion was about security,
because it wasn't. It was about avoiding the explosive number of HTTP
implementations we seem to be attaining, just so every other app can
talk to the web. I chose howl because gnome-vfs already depended on it,
not because of any security record or API design that blew me away, or
any of that. I chose it because it was already depended upon by the
platform I was developing a piece of software for. And I'll continue
to do that when developing software, because it makes sense. If there
are security issues in the code, then they will come up, and they will
be dealt with appropriately. That's how it works for every piece of
software ever written. Someone finds an exploit, and it gets fixed.
Howl was chosen because it does the multicast dns stuff needed to do
service discovery in gnome-vfs. That is all. It was an existing library,
that works. Neon was chosen because Alex felt the API better fit what
he wanted to do with the http module in gnome-vfs. Not because it was
or is more secure than libsoup. It never came up. What did come up was
that it had API that allowed him to do something a certain way, that
libsoup did not yet do, and he did not want to work to get the API in
libsoup to do that. He simply used neon instead.

> > >   Just because security holes are not known yet does not mean
> > > that it is secure.
> > 
> > How very true. Just because Apache has had a lot of security holes, and
> > they've been fixed, doesn't mean there won't be more, either.
> Arguing with me about epittance being just as secure as apache is
> ridiculous and not this list is for.

Exactly, so please stop trying to make it into an argument. I was making
a point. It's been made. I am not saying it is just as secure, I am
saying it is just as insecure. This list is also not for claiming that
something is insecure and then telling me not to argue about it. if you
don't want to argue about it, don't bring it up.

-- dobey

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]