[sldev] Security Update 2008-10-06 to SL Viewers and source
Anders at Arnholm.se
Wed Oct 8 04:57:02 PDT 2008
> On Wed, Oct 8, 2008 at 6:28 AM, Anders Arnholm <Anders at arnholm.se> wrote:
> Yes. That was not intentional. A well-intended dev edited the release
> notes, which should only be maintained by a member of the release
> team. That shouldn't repeat.
Peronally i think that was good, made it possible to deside how
important the update was to apply, if one shoudl log out and update ort
wait for next connection or next compile.
>> The problem in this
>> case then comes with GPL, we who got the patch had to wait with releasing
>> the bug fix for not violating the GPL.
> And that still needs to be discussed. If early limited source
> disclosure becomes policy, we need to either live with having everyone
> wait, or we need to find a way to allow people to release the binary
> early while still complying with the licenses we offer.
It would help, but over all I don't think with holding informaition on
what the error is is a good solution, not when the fix exists, and in
this moment it does. The bad once are the fist the looks for the
problems. They don't wait for us to go over the code and find the
problems for them. With holding back the fix you don't hold back the
problem just the spead of the fix to the last users imho.
>> But over all the fix as clear as possible as early as possible is a good
>> thing there is nothing good in security by obsurity.
> As repeated, that philosophy is about fortifying technology instead of
> leaving holes merely because they're difficult to see. It's never been
> a prescription for a project telling the world every way that it can
> be hurt before taking any steps to protect itself.
Making the code available is a part of sending out the cure, over all i
think thats a better way to approct the problem. When it comes to
security I'm sure there are buffer problems caused by incoming network
traffic. I think i see an increased number of crashes when servers
behave bader, that is a typical sign of something bad in the network code.
I wish i had time to dive into that part of the code, how ever RL coding
takes to much time at the moment. Sadly no-one pay's me to hack SL code...
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the SLDev