Florian Weimer wrote:
> >> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> >> fundamentally insecure?
> >
> > Yes (except that it's not CVE who declared but vendor-sec).
>
> Okay, this actually good news.
Hmm. I'm not sure that "safe_mode is fundamentally broken" is good news,
but it's the truth...
> Shall I write a draft DSA and some documentation patches? Some of our
> users rely on this feature and are not aware of its defects.
Please do. I think a good documentation on why/how safe_mode is
broken would be good to be added to www.debian.org/security/<somewhere>,
same as chroot-is-no-jail.
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Please always Cc to me when replying to me on the lists.
Florian Weimer wrote:
> >> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> >> fundamentally insecure?
> >
> > Yes (except that it's not CVE who declared but vendor-sec).
>
> Okay, this actually good news.
Hmm. I'm not sure that "safe_mode is fundamentally broken" is good news,
but it's the truth...
> Shall I write a draft DSA and some documentation patches? Some of our
> users rely on this feature and are not aware of its defects.
Please do. I think a good documentation on why/how safe_mode is org/security/ <somewhere> ,
broken would be good to be added to www.debian.
same as chroot-is-no-jail.
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Please always Cc to me when replying to me on the lists.