bittorrent in core? what frontend?
Sean
seanlkml at sympatico.ca
Sat Dec 17 21:32:59 UTC 2005
On Sat, December 17, 2005 4:17 pm, Jesse Keating said:
> On Sat, 2005-12-17 at 16:04 -0500, Sean wrote:
>> It's a low risk feature that adds signficant ease of use for the user.
>> You haven't shown at all how it could be exploited.
>
> If I knew how it could, I would have alerted upstream and vendors to get
> a CVE assigned and a fix coordinated. Unfortunately not all folks who
> discover flaws act in this way.
>
> With a port forward, any traffic at all can be pushed to the client.
> Who knows what kind of overflows or whatnot may be in the client
> software, that could lead to something which the client has rights to
> do, such as 'remove your temp files, which are ~/*'. My point is that
> forwarding ports is a risk. Sure it could just wipe your user files,
> but maybe it could do more. I don't know, I am not a security expert.
> Forwarded ports are much different than established/related packets.
> Unassociated traffic can come in at will. This kind of risk needs to be
> something a USER assumes, not a distribution.
>
That's a pretty weak argument. Many users are connected directly to the
internet and thus when they start the application they assume the risk.
It's the exact same thing if they install a router that has UPnP enabled
on it; they've assumed the risk.
But so long as you're happy to include the feature if its disabled by
default we really have no reason to argue.
Sean
More information about the fedora-devel-list
mailing list