On 01/07/2012 01:59 AM, Reindl Harald wrote:
Am 07.01.2012 07:52, schrieb Digimer:
> On 01/07/2012 01:02 AM, Reindl Harald wrote:
>> Am 07.01.2012 06:35, schrieb Digimer:
>>>> if you have a big customer which hires a 3rd party auditor
>>>> you are NOT in the poisiton to give such arguments or
>>>> you can give them but you can not change ANYTHING in
>>>> the fact that finally "fix it or shutdown the service"
>>>> is what you have to do
>>>
>>> If you have a "security expert" who can't grasp the concept of
>>> back-ported bug fixes, and is unwilling to test for specific
>>> vulnerabilities' existence, it's time to get a new expert.
>>
>> you are missing the point A BIG CUSTOMER has a security-expert
>
> No, I'm not missing the point. You're asking for a wholesale change in
> how a program works so that you can have an easier time with an
> uneducated customer. Your job, as a consultant or IT support is not make
> sure that your solution is safe. Making you customer feel comfortable
> without actually given them security is a bad idea.
i know about the pros and cons for obscurity
but i also know that from "SSH-2.0-OpenSSH_5.8" only "SSH-2.0"
is relevant for clients and having backports in mind this must
be the truth because if the whole version would matter all
LTS distributions would be broken by design
This doesn't change the fundamental point;
You are asking for a significant change in behaviour to a program that
who-knows-how-many apps use, for no real reason other than to make a
client feel better.
--
Digimer
E-Mail: digimer(a)alteeve.com
Freenode handle: digimer
Papers and Projects:
http://alteeve.com
Node Assassin:
http://nodeassassin.org
"omg my singularity battery is dead again.
stupid hawking radiation." - epitron