Here I go, replying to myself again ... On Sat, Oct 09, 2004 at 10:48:15PM +0100, paddy wrote: > clamav is a really good example of a very self-contained, at least in > some setups. two pipes, no privs (someone corrrect me if I'm wrong). > In the case of clamav, what i believe is at issue is not the stability or > security of whole individual systems (possibly the clamav function) but > importantly the stability of the archive, that system.
Even if I'm not oversimplifying, I'm assuming that compromise of a clamav process could give access to any local exploits available through available system calls. I take it that stable and security.d.o pick up the tab for this. Which makes me wonder: I seem to recall that maintenance of linux kernels has tended to drop covering local holes after a period on old kernels. I take it stable has this covered, but it would be a consideration for any potential deep-freezers, and is at least a box to check for volatile. Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall
