| 1 |
On Fri, 1 Feb 2013 09:45:07 -0500 |
| 2 |
Rich Freeman <rich0@g.o> wrote: |
| 3 |
|
| 4 |
|
| 5 |
> That seems rather speculative. I'm sure that people look for |
| 6 |
> vulnerabilities in unmaintained software - if they didn't then nobody |
| 7 |
> would be able to exploit them in the first place (you have to find a |
| 8 |
> vulnerability to exploit it). I imagine most vulnerabilities are |
| 9 |
> found by people outside of projects in the first place. |
| 10 |
> |
| 11 |
> We don't know how many vulnerabilities there are in maintained |
| 12 |
> packages, let alone unmaintained ones, so a comparison is a bit |
| 13 |
> difficult. |
| 14 |
|
| 15 |
Also, there are plenty of packages that can't really *have* interesting |
| 16 |
security vulnerabilities in the first place. I don't know the specifics |
| 17 |
of the games that were removed, but games in general, if they are |
| 18 |
purely single-player and only ever read and write files in the player's |
| 19 |
home directory, don't really have an attack surface to start with. You |
| 20 |
can't remotely exploit a program that never creates a socket, and you |
| 21 |
can't locally exploit a program that never tries to access files other |
| 22 |
than those in its invoker's home directory and root-writable |
| 23 |
directories like /usr/share, and does so with the invoker's usual |
| 24 |
privileges. Do you treeclean those because "they might have security |
| 25 |
holes"? |
| 26 |
|
| 27 |
Chris |
Archives