On Sat, Jun 26, 2004 at 09:55:01PM +0200, Horst Pflugstaedt wrote:
>
> what would be the alternative?
> The security team would have to annonce "there's a possible security
> flaw in package XY, we're on it, but it may take some more days to fix
> it"
>
> What's the worth of such announcements? U
* martin f. krafft:
> How does a firewall help? If the mission-critical server needs to
> provide HTTP access, the firewall will have port 80 open.
There are gateways which can filter at the HTTP level. Most of them
don't have fewer security bugs than Apache, but they often help
against cross-si
also sprach Tucker Hermans <[EMAIL PROTECTED]> [2004.06.27.1724 +0200]:
> I don't mean to sound like an ass, but if you have a mission-critical
> server or any server with secret data on it shouldn't a firewall already
> be in place for it? I mean it is naive to expect all software to not
> hav
* Tucker Hermans:
> I don't mean to sound like an ass, but if you have a
> mission-critical server or any server with secret data on it
> shouldn't a firewall already be in place for it? I mean it is naive
> to expect all software to not have security issues sometimes.
You didn't notice the inhe
martin f krafft wrote:
That's a thing of your webhoster. But if I knew of e.g. a root
exploit in the HTTP part of a mission-critical server containing
secret data, i want to turn it off, or take additional security
precautions, like a firewall layer etc.
I don't mean to sound like an ass, but if
On Sun, Jun 27, 2004 at 01:43:45PM +0200, martin f krafft wrote:
> also sprach Horst Pflugstaedt <[EMAIL PROTECTED]> [2004.06.26.2155 +0200]:
> > what would be the alternative?
> > The security team would have to annonce "there's a possible security
> > flaw in package XY, we're on it, but it may t
also sprach Horst Pflugstaedt <[EMAIL PROTECTED]> [2004.06.26.2155 +0200]:
> what would be the alternative?
> The security team would have to annonce "there's a possible security
> flaw in package XY, we're on it, but it may take some more days to fix
> it"
>
> What's the worth of such announcemen
On Sat, Jun 26, 2004 at 02:39:02PM +0200, martin f krafft wrote:
> anything from its users. If a root exploit is out there, users want
> to know about it. Keeping it a secret is childish.
what would be the alternative?
The security team would have to annonce "there's a possible security
flaw in pa
On Sat, Jun 26, 2004 at 02:39:02PM +0200, martin f krafft wrote:
So what is the official procedure of the security team?
It's there, you've read it. I don't think anyone wants to argue about it
again. You can read the archives for the last time we had this argument.
Mike Stone
--
To UNSUBSCRIBE, em
While I can understand that the security team may want to receive
problem reports in a secure manner and be able to scrutinise them
first before going public, I am left at doubt if Debian is actually
about full disclosure (which the social contract seems to suggest),
or whether we accept the practi
10 matches
Mail list logo
