You are viewing np237

 
 
04 November 2011 @ 06:04 pm
This is not a giant root exploit, this is a feature  

So, there is some history of organisations doing a poor job at managing security bugs.

We saw the “This is not really a security hole” jokes just to avoid having bad statistics in the front page. We saw the “OMFG you must update to the latest version RIGHT NOW and no I’m not telling why” panic.

We still frequently see security fixes hidden in unrelated public commits, just to make them harder to backport for distributors.

But really, there is absolutely no match for that. Kudos for setting a new standard in the worse way of dealing with security issues, guys.

Update: one of the developers has started insulting a pair of professional IT security experts who came and tried to educate him. Awesome reading, don’t forget the popcorn.

 
 
( 4 comments )
Martin PittMartin Pitt on November 4th, 2011 08:56 pm (UTC)
This is not a giant root exploit, this is a feature
I'm so glad that I had that really bad feeling about this helper when I packaged calibre. Fortunately the Debian/Ubuntu packages don't ship this thing at all, I just ship a small non-root compatibility shim which just calls udisks --mount.
(Frozen)(Thread) (Link)
np237np237 on November 4th, 2011 09:04 pm (UTC)
Re: This is not a giant root exploit, this is a feature
Really, a big thanks to you for avoiding that.
(Frozen)(Parent) (Thread) (Link)
(Anonymous) on November 5th, 2011 02:26 am (UTC)
Re: This is not a giant root exploit, this is a feature
For the record, the Fedora packager (Kevin Fenzi) had a similar reaction and killed the script in Fedora long ago. The 'calibre-mount-helper' in the Fedora package consists of a comment and the line 'exit 1'. :)
(Frozen)(Parent) (Thread) (Link)
(Anonymous) on November 4th, 2011 09:45 pm (UTC)
Does any distro have a process in place that checks packages for security-sensitive code and requires special review for those? Things like suid binaries or installing kernel modules would belong there...
(Frozen)(Thread) (Link)
( 4 comments )