[DC LoCo] How not to handle a bug report
Robert Simmons
rsimmons0 at gmail.com
Sat Nov 5 18:30:21 UTC 2011
On Fri, Nov 4, 2011 at 12:59 AM, Matthew Gallagher <mattva01 at gmail.com> wrote:
> I'm not sure I'd want to use Calibre after this....
> https://bugs.launchpad.net/calibre/+bug/885027
> (shameless stolen
> from http://www.reddit.com/r/programming/comments/lzb5h/how_not_to_respond_to_vulnerabilities_in_your_code/)
I almost fell out of my chair when the calibre developers responded to
Jacob Applebaum the way that they did when he weighed in on the
subject. I think they don't know who he is. They responded to him
like he's just a user leaving a random comment.
However, this actually highlights something important in linux
security. So, with user installed software there is no way to control
how that software behaves, so if it installed a suid executable, it
can introduce a security vulnerability. One of the things that I find
valuable to combat this sort of thing is a daily security audit of the
system which reports any new suid executables that it finds on the
box. This audit is then summarized in report form and emailed to
root, which can be forwarded anywhere you like. Additionally, if you
don't like the idea of a plaintext security audit output going out
over SMTP to your email, you can run a milter that automatically
encrypts the email using your gpg public key before sending it.
However, to put it in perspective, not using calibre because of this
is too extreme a response. Just understand the problem and work
around it.
Rob
More information about the Ubuntu-us-dc
mailing list