[email protected] writes:
> The fact that you got a response acknowledging the problem means that we
> do know that it needs to be addressed, and we have plans to do so. My
> guess is that your suggestions were construed as demands instead of
> constructive criticism.
My intention was to point out a critical security issue that seems to
have been known, but left unadressed, for two years. I was highly
worried that this can be abused and produce bad press for the project
and OpenSolaris as a whole.
> I think we're having a productive discussion now. I don't think that
> this conversation is going to be productive if we continue to criticize
> one another. It would be better to focus on the technical issues that
> concern you.
I tried not to critizize individual members of the team, but more a
significant reluctance of the team to fix or workaround a security
problem asap. This behavior of the pkg.depotd is just not in line with
the Solaris policy of secure-by-default. True, the daemon is disabled
by default, but operates in higly dangerous mode once enabled.
>> What this seems to forget is that many sites are sort of forced to use
>> what is available *now*, and have been working with packaging software
>> and automated installation for years if not decades, so they
>> understand their use cases just as well.
>
> Could you clarify what you mean by this comment? The OpenSolaris
> releases are 2-week snapshots of our development release. If you deploy
> FreeBSD or Debian, are you required to pull the HEAD of FreeBSD every
> two weeks, or run Debian Unstable? I understand wanting to run the
> latest bits, but there needs to be an expectation that the code is still
> in devlopment and may be incomplete and subject to change.
This can all be said for missing features, but not about an insecure
default. pkg.depotd defaulting to no access control for publish access
seems to have been present for two years. Do you really believe that
(taking the analogy from my original message) a subversion server
defaulting to write access for everyone once it is started would have
been released and tolerated for two years, in development or not? I'm
not talking about two-weekly snapshots here: this behavior has been in
two formal OpenSolaris releases, I think: 2008.11 and 2009.06, and not
even a hint that it might be problematic.
Rainer
--
-----------------------------------------------------------------------------
Rainer Orth, Center for Biotechnology, Bielefeld University
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
