You Wrote:
> > Oh, I read that quotation when it was published. It is a simple
> > statistics-based interpretation, and not something fair to base
> > judgement on. These 8 vulnerabilities were not Mandrake's (but
> > shared for all the Linuxes), and most of them are not dangerous
> > for people with the "paranoid" configuration mode.
>
>In this spesific case the statistics don't lie.
>
>For instance - the userhelper problem (basically - userhelper didn't
>check that pam modules are from inside /etc/pam.d , which gave a very
>easy local root exploit) was discovered a while after mandrake 6.1
>was out, but was not officially fixed until after a couple of monthes
>mandrake 7.0 was out. IIRC a corrected package was availble at
>mandrake-cooker, but anyway - it was never anounced.
<snip>
Here is what Kurt Seifried had to say this week:
<qoute>
Wow! I seem to have made some people at Mandrake software a little
unhappy with last week's comments (ya think!) Let me just say that I
have nothing against the Linux Mandrake distribution itself -- I think
it's ok. What I have a problem with is the way Mandrake Software
(the company) handles updates, security announcements and a few other
odds and ends. It isn't enough to build a finely engineered software
product. You also have to issue updates and in the case of an OS it is
critical that customers are told about security updates and made to
understand that if they do not update, bad things[tm] will happen. I
feel that the updates issued by a vendor are an integral part of the
OS, not some nice altruistic service they might be willing to provide
customers.
This is why I gave the Linux Mandrake distribution a "failing" grade.
My main two issues with Mandrake are the lack of a central,
Mandrake run ftp server (i.e something like updates.redhat.com).
Instead, they rely on third party mirrors that may or may not be
working properly (and over which they have no control).
The other main issue I have is with the poor quality of their security
announcements. Users need to be explicitly told where to find updates
and how to implement them. Now Mandrake has largely fixed this issue,
with two new advisories on Sunday (for DHCP and WuFTPD). They tell you
where to find them, and how to update them. This makes me happy.
Congratulations to Mandrake!
</qoute>
The qoute was taken from
http://securityportal.com/topnews/weekly/linux20000703.html
Yosi
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
