diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-October/008648.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-October/008648.html | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-October/008648.html b/zarb-ml/mageia-dev/2011-October/008648.html new file mode 100644 index 000000000..50526e710 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-October/008648.html @@ -0,0 +1,120 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] About syslinux & libpng + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C1317855236.3954.48.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="008621.html"> + <LINK REL="Next" HREF="008616.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] About syslinux & libpng</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C1317855236.3954.48.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-dev] About syslinux & libpng">misc at zarb.org + </A><BR> + <I>Thu Oct 6 00:53:56 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="008621.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI>Next message: <A HREF="008616.html">[Mageia-dev] texi2html +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#8648">[ date ]</a> + <a href="thread.html#8648">[ thread ]</a> + <a href="subject.html#8648">[ subject ]</a> + <a href="author.html#8648">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le mardi 04 octobre 2011 à 17:24 +0200, Guillaume Rousse a écrit : +><i> Le 04/10/2011 16:50, Michael scherer a écrit : +</I>><i> > On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote: +</I>><i> >> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote: +</I>><i> >> +</I>><i> >>> Except if I start to replace this by "here is a nice syslinux boot image +</I>><i> >>> with a duck". And then my code is run by syslinux, just because someone +</I>><i> >>> took my png picture. +</I>><i> >> +</I>><i> >> And the same person could say, "Here is my cool plymouth splash screen, use my +</I>><i> >> initrd", and there are 1000 easier ways to exploit this (than trying to +</I>><i> >> generate a PNG image with exploit code that someone would like enough to use +</I>><i> >> syslinux). +</I>><i> > +</I>><i> > Sure, but we can also upload the pics on some gnome-art or something like that. +</I>><i> > +</I>><i> > Now, if we consider every possible exploit requires opening a document as a non +</I>><i> > problem, I guess it would surely reduce our workload on security issue, and +</I>><i> > for sure enhance the confidence. +</I>><i> Those situations are not really comparable. Opening a document with the +</I>><i> corresponding application is a normal usage scenario, whereas +</I>><i> configuring the boot process is a system administration scenario, +</I>><i> requiring explicit context change. +</I> +This depend on the ease of use. If we have something easy to use to +change the boot process, I would not consider that as a system +administration task ( at least, that's not what i do as a sysadmin most +of the time ). + +And the question is that if we start to have exception for boot process +because that's too complex to do, and because there is likely no +problem, we are just being lazy. That would not be the first time, nor +the last, and I do not think we will get ride of bundled libraries +( since more expert community with more people have trouble to do that, +and we already traded sanity for convenience the day we packaged firefox +and chrome ), but not even trying will just make things worst in the +future. + +><i> > And while I was not aware of it when I wrote my mail, it already happened : +</I>><i> > +</I>><i> > MDKSA-2006:210 +</I>><i> Nobody said it didn't happened, just than forcing build against system +</I>><i> version of the library would requires more effort right now, without +</I>><i> avoiding the need to also rebuild syslinux in case of vulnerability in +</I>><i> libpng, as it is statically linked. It would just make easier to track +</I>><i> vulnerability by having a single version, and avoid to patch twice. +</I> +Which is already useful by itself. + +If it requires more work for now, that's also because everybody think +"someone else should do it, I will see later". Maybe next time, we +should not push a newer version of anything, and let the other do the +work. This worked fine for Mageia 1, this worked fine for Debian, so +maybe we could just go that way if that's easier. + +But in the same time pushing latest version of low level and higher +level component and then complain this make work is just wrong. + +Packager like to push newer stuff, except when it mean work for them +( like mass rebuild and fixing, like gnutls, libpng, python ). That's +not consistent. +-- +Michael Scherer + +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="008621.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI>Next message: <A HREF="008616.html">[Mageia-dev] texi2html +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#8648">[ date ]</a> + <a href="thread.html#8648">[ thread ]</a> + <a href="subject.html#8648">[ subject ]</a> + <a href="author.html#8648">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |