From owner-freebsd-security  Mon Jul 20 11:28:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA16969
          for freebsd-security-outgoing; Mon, 20 Jul 1998 11:28:47 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16955
          for <security@FreeBSD.ORG>; Mon, 20 Jul 1998 11:28:44 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id MAA21514;
	Mon, 20 Jul 1998 12:28:04 -0600 (MDT)
Message-Id: <199807201828.MAA21514@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Mon, 20 Jul 1998 12:27:55 -0600
To: "Christopher G. Petrilli" <petrilli@dworkin.amber.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: Why is there no info on the QPOPPER hack?
Cc: "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980720141205.4600E-100000@dworkin.amber.org>
References: <199807201809.MAA21160@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I'd go further. I'd be willing to allow an INSTANT automatic upgrade 
if the FreeBSD Security Manager sent a message, digitally signed with
a nice, long key, saying that a serious exploit might be imminent. It'd
be worth the risk. In the case of the QPopper hole, it would have been
the Right Thing.

The feature would, of course, be optional. Not everyone would turn it on,
but *I* would.

--Brett GLass

At 02:13 PM 7/20/98 -0400, Christopher G. Petrilli wrote:
 
>On Mon, 20 Jul 1998, Brett Glass wrote:
>
>> It might save your butt.
>> 
>> But who said anything about "randomly?" The aforementioned Windows apps
>> do let you upgrade when you want to, and let you roll back.
>
>I think that the idea of "notification" of a new update is wonderful,
>however, installation should not be in anyt way "automatic", even if you
>say "sure upgrade my machine while I cross my fingers and hope that
>nothing 'unusual' happens."  This however, is trvially accomplished
>through either a modification to the package mechanism (providing an
>extra utility), or simply having email lists.
>
>Chris
>
>
>> At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote:
>>  
>> >On Mon, 20 Jul 1998, Brett Glass wrote:
>> >
>> >> At 11:28 AM 7/20/98 -0500, you wrote:
>> >>  
>> >> >You don't expect all of your software to automaticly upgrade for you,
>> do you?
>> >> 
>> >> That's a darn good idea. Several Windows apps do this already. Why not
>> >> the FreeBSD ports?
>> >
>> >Oh yes, I definately want my applications randomly upgrading themselves
>> >... this will fix all my security holes :-)
>> >
>> >Chris
>> >--
>> >| Christopher Petrilli
>> >| petrilli@amber.org
>> > 
>> 
>
>--
>| Christopher Petrilli
>| petrilli@amber.org
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message