>I don't see a security issue with his method. > >If you (a) read the entire patch and (b) comprehend fully everything that >it does, then there's nothing to worry about. Fear comes from the unknown,
>and if you know everything in the patch, there's nothing to fear. I'll agree if you fully comprehend the code, but few people do. Even experienced developers can easily overlook something here or there. So assuming that people will "comprehend fully" is making the claim that no one will ever look over a maliciously coded buffer overflow. Most users do not know how to read code while checking for maliciously inserted holes. There's enough accidental holes in all sorts of software that proves this. On top of it, it teaches and encourages customers and users to just trust email attachments. It tells users "hey, next time you get an email, go ahead an install it". Finally, this could be exploited right now. Code up a malicious patch, and email it to someone who has not received an official patch. Or to another email account of a real customer. Now they've heard "oh, it's a legit patch", and go install it. Bad. -Michael _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users