Stefano Zacchiroli wrote: > That is: considering that introducing a new web server in the archive > will potentially increase the work of the security team, it must be > worth.
You know, introducing any package that is capable of network traffic
in either direction can potentially increase the work of the security
team.
What this thread appears to be missing is any acknowledgement of the
degrees of potential security impact that exist between apache and say,
wget. An exploitable hole in apache's default configuration has the
impact of massive worms doing real damage to the internet and exposing
vast amounts of information to black hats, etc. Organisations exist that
will pay a nice sum of money for zero-day access to such a security
hole. An exploitable hole in wget is likely only "exploitable" in
theory, or with much effort and luck. I doubt you could find anyone
who'd pay you $10 for zero-day access to such a hole.
The woof package seems likely to have a total security impact that is
actually less than wget, since fewer people will be using it, and its
use will be limited to more peer-to-peer situations. I have found a
security hole in woof. How much will someone pay me to disclose it? [1]
AFAICS, woof is unique in both its strategy of serving a file only 1 (or
N times), and its trivial command-line invocation on a single file. I'd
use it.
Incoming code of possible security significance should be reviewed for
at least common classes of security holes. Instead, we get a thread where
the ITPer is required to prove that nothing in Debian can do what his
package does. Personally, I feel that our culture of ripping ITPs to shreds
has gone too far, and needs to be reigned in, while our culture of
actual, useful security impact analysis and review is stunted.
--
see shy jo, who has written a small, stupid, badly designed web server
with no unique or redeeming features, and gotten it into Debian :P
[1] I've emailed the author, so it won't be zero-day for long. Buy now!
signature.asc
Description: Digital signature
