On 10/12/02 0:30 "Jeanfrancois Arcand" <[EMAIL PROTECTED]> wrote:
>> Now, don't tell me that ALL that collection of cruft doesn't have a bug... >> It's just that we are lucky and noone found them yet (given enough eyes... >> Linus says)... >> > I never say that and I will never says that. But I least I have try > during the Security Audit to fix some of the obvious one. Still Tomcat > is probably not enough secure (and will never be). My point is if you > are aware of such obvious one, then let me know and I will fix them. You said (quote) "Jasper/AdminTool/etc. are secure"... That's a pretty bold statement. >From my experience, security audits and stuff are all right, until someone doesn't call up at 3 AM saying "the server is down because of a DOS"... Nah, I don't like being woken up in the middle of the night... > But I don't think Tomcat is more secure without JSP.... I know, I know, what > I think you don't care :-) The bible (for us Sun customers, _your_ customers): <http://wwws.sun.com/software/security/blueprints/#minimum> > "Solaris Operating Environment Minimization for Security: A Simple, > Reproducible and Secure Application Installation Methodology > - Updated for the Solaris 8 Operating Environment" > - November 2000 > - by Alex Noordergraaf > > Discusses the process of minimizing an installation of the Solaris Operating > Environment. Mimimization is the process of removing all unnecessary > components and services from the Solaris software to reduce system > vulnerabilities. Also introduces a simple technique for replicating these > types of installations across a large number of systems. _YOUR_ security folks tought me that... Go and talk to them, they're down in SCA-7 if I'm not wrong... Paranoia is an irreversible process for us on the line-of-fire. >> To sum up: rule of the thumb #3, less code, less bugs (you folks from Sun >> preach that all over your Solaris Blueprints stuff, I learnt it when your >> employer was paying my salary). >> > Wow, didn't know that... I've missed the chance to work with you :-) Don't worry, you would have _hated_ working with me (and proudly keeping up my record of being the most hated freak on the planet). > I should studies my Tomcat history and learn who is doing what, what > biases he/she have, and then vote appropriatly. Oh, no, I got paranoid after I left Sun and started working on the other side of the barricade... Trying to use in production what I was coding earlier... :-) >> So, please, donšt come up on a mailing list saying "that is secure", just >> say that "noone has found a bug yet", because that (and only that) is the >> truth... >> > I agree my wording was not appropriate. Should say that in french next > time :-) Pas de problemes (where are the accents on this keyboard?) Pier -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
