Re: Claimed vulnerability in GTK_MODULES



Hi!

> I don't think moving from 0% secure to 0.1% secure, then fixing a bug
> every day eventually making it to 5% secure after a few years of work,
> would be a worthwhile activity. We do have real functionality and real
> bugs to work on! Working on an impossible task on a daily basis is not
> very productive.

With world-writable high scores, anyone can mess them up in less than
minute.

Messing high scores with setgid gtk+ app would take half an hour. (to
me).

Messing high scores with setgid gtk+ app with known-bugs-fixed gtk+
would take at least five hours, probably many more.

> We are not going to spend loads of time and disable important
> functionality just to get some bogus "semi-security" in order to
> prevent the more inept subset of crackers from adding false high
> scores to a high score table. This is a much-pain zero-gain
> proposition.

You are not disabling important functionality. It is disabled only in
cases of setuid programs. Also remember that by killing buffer
overruns and similar stuff in code, you are fixing real bugs. For
almost every security hole closed, you have one bug fixed.

-- 
The best software in life is free (not shareware)!		Pavel
GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]