Re: URGENT: DON'T USE 2.0B3 - SECURITY ISSUES! (was: [leafnode-list]

[Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

krasel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx (Cornelius Krasel) writes:

> It's not released yet. Of course you can announce something on Bugtraq
> which has not even left my harddisk, but I don't care too much about
> that. At the moment, I am more interested in getting as much feedback
> about the stability of Leafnode as possible than fixing security
> holes.

You cannot judge the stability if you deliberately introduce new
security problems. What if this is forgotten and left in 2.0?

> Concerning the stability of Leafnode, it appears that there are
> several thousand users who are quite happy with it. That's certainly
> sufficient for me, and I am still interested in weeding out remaining
> bugs.

You don't expect the leafnode target group to be able to judge on the
stability. If fetchnews - run from cron - crashes occasionally, they
won't notice. If it inserts junk of drops an article, they may not
notice.

You knew that the getaline() function is still not fixed, yet it works
until someone catches spam that contains NUL bytes, even then, it MAY
survive, messing up an article that is later discarded.

People tend to not complain about such minor issues.
(Now guess why there is a getaline test suite in 1.9.17ma3.)

-- 
Matthias Andree

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list