On Sat, Sep 02, 2006 at 10:37:04AM +0200, Rolf Kutz wrote: > * Quoting Mikko Rapeli ([EMAIL PROTECTED]): > > I think it is relevant: should the effectiveness actions in general > > be based on the host where the update was applied through lsof, package > > dependencies provided and digitally signed by Debian, some other information > > provided and digitally signed by the Debian security team in an > > advisory or something else?
Or package installation scripts provided by the package maintainer. > The problem here is that when the software has > been exploited already, installing the security > update doesn't fix the problem anymore. Exploited to what extend? Without stack protection, address space randomization, selinux etc, it's very difficult to know wether a processes address space has been violated. And non-privileged processes don't have write access to binary files on the system without additional local root holes. My point is: lsof may not be trustworthy on per host basis when making security updates effective. The time between security bug publication and applying the updates varies too much. If a Linux distro can do better than Windows and not require full reboot after every update, I'd like to see a confirmation of the steps required to make the update effective from a source I trust anyway. -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
