[sldev] Security Update 2008-10-06 to SL Viewers and source code-CLARIFICATION

Anders Arnholm Anders at Arnholm.se
Wed Oct 8 04:57:02 PDT 2008


Soft skrev:
> On Wed, Oct 8, 2008 at 6:28 AM, Anders Arnholm <Anders at arnholm.se> wrote:
>   
> Yes. That was not intentional. A well-intended dev edited the release
> notes, which should only be maintained by a member of the release
> team. That shouldn't repeat.
>
>   
Peronally i think that was good, made it possible to deside how 
important the update was to apply, if one shoudl log out and update ort 
wait for next connection or next compile.
>   
>> The problem in this
>> case then comes with GPL, we who got the patch had to wait with releasing
>> the bug fix for not violating the GPL.
>>     
>
> And that still needs to be discussed. If early limited source
> disclosure becomes policy, we need to either live with having everyone
> wait, or we need to find a way to allow people to release the binary
> early while still complying with the licenses we offer.
>
>   

It would help, but over all I don't think with holding informaition on 
what the error is is a good solution, not when the fix exists, and in 
this moment it does. The bad once are the fist the looks for the 
problems. They don't wait for us to go over the code and find the 
problems for them. With holding back the fix you don't hold back the 
problem just the spead of the fix to the last users imho.

>> But over all the fix as clear as possible as early as possible is a good
>> thing there is nothing good in security by obsurity.
>>     
>
> As repeated, that philosophy is about fortifying technology instead of
> leaving holes merely because they're difficult to see. It's never been
> a prescription for a project telling the world every way that it can
> be hurt before taking any steps to protect itself.
>
>   
Making the code available is a part of sending out the cure, over all i 
think thats a better way to approct the problem. When it comes to 
security I'm sure there are buffer problems caused by incoming network 
traffic. I think i see an increased number of crashes when servers 
behave bader, that is a typical sign of something bad in the network code.

I wish i had time to dive into that part of the code, how ever RL coding 
takes to much time at the moment. Sadly no-one pay's me to hack SL code...


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the SLDev mailing list