* Lupe Christoph <l...@lupe-christoph.de> [090810 21:13]:
> > Almost all security holes need to user to do something. (If only to
> > power up the machine, to install some packages, to connect to the
> > internet, to give accounts to users). The question cannot be that
> > something has to be done do make people vulnerable, but whether properly
> > sane and educated people can guess that something opens a security
> > problem.
>
> I interpret this to mean that there should be DSAs for all problems *made
> possible* by Debian packages, rather than those *caused* by the package.
What I try to tell you is that I do not share your interpretion of
"caused".
If bash had a bug to always include . in PATH, would that cause
a problem or make a problem possible? (After all, noone forces you do
switch to other peoples directories before doing ls).
If a webbrowser has a problem executing arbitrary stuff told by the
website visited, is that a security problem "caused" or made possible by
the webbrowser. (After all, if you do not visit untrusted sites, there
is no problem).
If sshd had a bug so that "PermitRootLogin without-password" (which is not
the default) allowed people to login without any identification as root
instead of what it is supposed to be, would that be bug caused by ssh
or a bug made possible by ssh?
So it is in my eyes to criteria at all that the user has to change some
configuration. The question is whether this change is supposed to cause
the effects it does and if a user can be expected to understand the
effects.
Hochachtungsvoll,
Bernhard R. Link
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
