Retiring ksensors, possibly id3lib as well?
Björn Persson
bjorn at xn--rombobjrn-67a.se
Wed Oct 7 21:10:11 UTC 2009
Lyos Gemini Norezel wrote:
> Don't security risks grow exponentially as software 'bit rots'?
If someone finds and publishes a security hole, and no one tries to fix it, then
the risk increases dramatically. If no holes are published and the software
doesn't change, then I'd say the risk is fairly constant.
There is always the possibility that some bad guy finds a hole that the good
guys haven't found and fixed yet. The bad guy can then use the hole in a few
directed attacks against selected targets. (In the case of id3lib he could for
example send a malformed MP3 file to the victim by email.) In that case you're
at risk only if you are the bad guy's target. He can also use the hole in a
large-scale attack against the entire userbase (for example publish a
malformed MP3 file on some popular file sharing networks), but only once,
because then the hole will become publicly known and presumably fixed, and
after that the risk is the same as for any other published hole. All of this
is true both for stable software and for software in active development, and
although the developers in an active project may occasionally find a hole and
fix it, they may also introduce a new hole at any time.
I'm much more nervous over programs like Squirrelmail, Firefox and
Thunderbird, for which there is a steady stream of security fixes, because it
indicates that the code is of low quality or that the design is fundamentally
flawed.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091007/8660d20d/attachment.sig>
More information about the fedora-devel-list
mailing list