[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Is Mozilla's "patch" enough?
- To: Aviv Raff <avivra@xxxxxxxxx>
- Subject: Re: [Full-Disclosure] Is Mozilla's "patch" enough?
- From: Florian Weimer <fw@xxxxxxxxxxxxx>
- Date: Mon, 12 Jul 2004 21:02:51 +0200
* Aviv Raff:
> On Mon, 12 Jul 2004 20:34:44 +0200, Florian Weimer <fw@xxxxxxxxxxxxx> wrote:
>> * Aviv Raff:
>>
>> > Security patches shouldn't be overridden unless intended too (i.e
>> > uninstalled).
>>
>> This is not standard industry practice. Especially if a patch might
>> break previously working configuration, I completely agree that it's
>> correct.
>
> That's why there should be a way to uninstall the patch, as I wrote.
This requires that you have individual patches for each vulnerability,
something that is often practically impossible (because of
combinatoric explosion) and is a support nightmare if it is possible.
Those vendors supplying source code are far better off in this area.
You simply pick the parts you like and recompile your own version.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html