Hello Ivan, >>>>> "IP" == Ivan Popov <[EMAIL PROTECTED]> writes:
IP> Looking at TightVNC Unix Changelog at www.tightvnc.com, I don't IP> see any changes since November 2001. I see also that most of the IP> traffic on vnc-tight-list concerns Windows (looking at the IP> archives, I am not on the list). IP> It makes the impression that Constantin - surely for good reasons IP> - has abandoned development of the Unix version (Constantin, IP> correct me if I'm wrong). Yes, I think you're wrong. ;-) I update change logs only on releasing new versions, that's why there were no new records sinse November. In the future, I'll try to release new versions more often. I worked on the Unix version and I plan to continue working on it (actually, I like Unix part of the work much more than Win32 version). IP> For those using vnc on distributed filesystems I have to warn that IP> the default configuration of the tools is essentially insecure, in IP> some real scenarios opening access to your session to the whole IP> world. Exploitation in such cases is trivial even for IP> script-kiddies. IP> It is not a problem with the protocol or the implementation, it is IP> just wrong defaults (assuming a local home filesystem) built into IP> the software that are so dangerous. IP> I hope Constantin will either find resources to fix the Unix IP> version, or delegate that part of the project to another volunteer IP> (well, may be not easy to find, I would not volunteer myself!). IP> I do not think independent patches flying around are a good IP> solution for the project. But anyway - Why not? In general, I don't see any problems with including good patches into the TightVNC codebase. Regarding your security improvements, I think they're important, and I saved them for later inclusion; sorry that I could not find the time to answer your previous mail on the subject :-(. But before inclusion into the TightVNC codebase, I'd like first to discuss the changes with the community. I understand that keeping passwords in home directories is often a security risk, but is /tmp really a better place for _most_ users? And you know that there is a lot of other security-related problems in VNC (e.g. causing denial of service in Xvnc is extremely easy), so I think VNC should be used _only_ on trusted networks anyway... Currently, I'd prefer to include your changes, but only as an optional choice, so admins could easily choose where to place .vnc directories -- either in home directories, or in /tmp. IP> some non-intel architectures workaround patch: [skip] I believe this problem is fixed in the latest version. -- With Best Wishes, Constantin --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
