Re: GTK+-1.2.9 Released

From: Havoc Pennington <hp redhat com>
To: "J. Ali Harlow" <gtk-list optosun7 city ac uk>
Cc: Owen Taylor <otaylor redhat com>, gtk-list gnome org, slashem-devel lists sourceforge net
Subject: Re: GTK+-1.2.9 Released
Date: 05 Mar 2001 13:42:05 -0500

"J. Ali Harlow" <gtk-list optosun7 city ac uk> writes:
> There may be a clear argument, but I have to say that it is
> unacceptable to me for the GTK team to resort to such
> nannyisms. While it would not be impossible for the Slash'EM
> development team to comply with this (and it would also have some
> fringe benefits) it would take a huge amount of work - we would have
> to change the graphical interfaces to the game into seperate
> processes and implement a protocol for communicating with the game
> core via pipes. It is quite ridiculus for the GTK team to impose
> their priorities on us in this way.
> 

If your app fails the check, your app is a security hole. Someone
should post it to Bugtraq. The fact that fixing the hole is a lot of
work doesn't really change the fact that it's a hole. ;-)

If the app is for custom or in-house or "not on the net" systems only,
then it should be acceptable to build a custom version of GTK with the
check removed, and that's a fine thing. But GTK as shipped protects
general users who may not be aware of security issues.

Any user who understands the security issue can trivially remove the
check from their copy of GTK. Or app authors can ship a hacked copy of
GTK and statically link, thus compromising only their app, and not
introducing the issue for other apps on the system.

Havoc

Follow-Ups:
- Re: GTK+-1.2.9 Released
  - From: J. Ali Harlow

References:
- GTK+-1.2.9 Released
  - From: Owen Taylor
- Re: GTK+-1.2.9 Released
  - From: Drazen Kacar
- Re: GTK+-1.2.9 Released
  - From: Owen Taylor
- Re: GTK+-1.2.9 Released
  - From: J. Ali Harlow

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]