Joined: Feb. 2007
||Posted: June 01 2008,12:37
Starting a new topic to keep the "compile issues" thread from being hijacked.
curaga re: my idea of packaging a zlib+ssl+ssh security update:
|They are important, but what about all other stuff that has had security updates (png, jpeg, FF, glibc, etc. etc.)?|
Those are also important and I also have libpng, ungif, etc., updated on my hard drive install. The differences between vulns in the image libs and the three I listed are like night and day: the vulns in the image libs are usually limited to causing crashes and DOS while the vulns in ssl/ssh present problems with MITM and other attacks that pilfer private data or make it easier to do so.
I'm not dismissing the severity of problems with other libs or apps. I'm just a lot more concerned about the integrity of the libraries and apps that protect my privacy and my data.
|Just saying it might not be worth going for, as to be secure it would need a total overhaul. |
"Going for" is already done on the three I listed; they just need to be stripped and packaged. And, as I noted, I could also submit the image libs as well if there's interest. Beyond that, you're right because it would take a lot of effort to patch it all and tiny core will be out soon with a fresher base and fewer things to keep an eye on. That's another reason I favored making DSL a lot more modular when Robert polled about it last year -- it'll make this issue a lot easier to manage going forward.
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)