Bug#267040: Is a warning really adequate?

2006-10-06 Thread Jeroen van Wolffelaar 
reopen 267040
thanks

On Sat, Aug 19, 2006 at 04:36:42PM +0200, Jeroen van Wolffelaar wrote:
 What do you think about this?

I do not feel that my concerns have been adressed.

--Jeroen

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber  MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#267040: Is a warning really adequate?

2006-10-06 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

 reopen 267040
Bug#267040: remote code execution hole due to lack of Java security manager
'reopen' is deprecated when a bug has been closed with a version;
use 'found' or 'submitter' as appropriate instead.
Bug#301134: gcjwebplugin: no mention of non-active security manager
Bug reopened, originator not changed.

 thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#267040: Is a warning really adequate?

2006-08-19 Thread Jeroen van Wolffelaar 
As I explained in my mail below, I have my doubt whether just a warning
is an adequate resolution to this bug. I haven't entirely made up my
mind though, because well, there is a warning and users sort of choose
for themselves, but still, currently I tend to think it's not a good
idea to allow *this* easily that users allow remote code execution.

What do you think about this?

--Jeroen

- Forwarded message from Jeroen van Wolffelaar [EMAIL PROTECTED] -

Date: Sat, 19 Aug 2006 13:16:54 +0200
From: Jeroen van Wolffelaar [EMAIL PROTECTED]
To: Robert Millan [EMAIL PROTECTED], debian-gcc@lists.debian.org,
debian-release@lists.debian.org
Subject: Re: gcj and etch freeze
Message-ID: [EMAIL PROTECTED]
Resent-From: debian-release@lists.debian.org
List-Id: debian-release.lists.debian.org

On Sat, Aug 19, 2006 at 02:59:28AM -0700, Steve Langasek wrote:
 On Sat, Aug 19, 2006 at 11:42:03AM +0200, Robert Millan wrote:
   Last I knew, it still had
   serious security problems.
 
  Which ones?  I can't see anything in the BTS.
 
 I wouldn't know them by bug number; previously though, the problem was that
 gcjwebplugin didn't have appropriate sandboxing.

#267040: remote code execution hole due to lack of Java security manager

This is 'fixed' by:
- Shows warning before loading an applet (Closes: #267040, #301134)

Which, IMHO, doesn't make this usable except in fully trusted
environments where the browser is exclusively used to browse a fully
trusted intranet where nobody can change web content that doens't
already have root on your machine.

Which is, basicly nowhere (IMHO, and barring myself misunderstanding
something).

The warning is talked about here:
http://langel.wordpress.com/2006/06/05/gcjwebplugin-is-actually-worth-using/
(thanks Michael Koch for the link)

I personally do not think we should offer this option to users, because
users tend to trust sites easily (and they are too often asked about
'trusting' too, w.r.t. https websites, for example), even though the
wording used is strong, and the consequence is arbitrary remote code
execution.

Anyway, I will followup to the bug in question for discussion about this
issue.

--Jeroen

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber  MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



- End forwarded message -

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber  MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]