On Fri, 1 Feb 2019 14:40:33 -0500
Felix Miata
Michal Suchánek composed on 2019-02-01 18:58 (UTC+0100):
On Fri, 1 Feb 2019 12:22:12 -0500 Felix Miata wrote:
Jeff Mahoney composed on 2019-01-30 12:20 (UTC-0500):
there are a number of file systems that are uncommon, poorly maintained, and contain security issues
Is this theoretical, or real? IOW, is "poorly maintained" a label applied because of absence of "maintenance" that is a result absence of changes in a filesystem that was fully mature 20-30 years ago and thus needs no maintenance?
Oh right. Such software totally does exist.
Some things remain in use for decades longer because they work. Older doesn't equate to bad. Indeed, newer often equates to bad, or at least, worse.
But unmaintained software equates security flaws. All software has bugs and some can be exploited. If there is nobody to fix them they remain exploitable forever.
Are the "security issues" known, or merely theoretical?
Disabling the autoload makes the obscure filesystem much less rewarding target for an attacker which actually improves security even for the people who do use it.
Like an obscure filesystem that "nobody" uses any more would ever have been rewarding in the first place.
You omitted this part: If the module is autoloaded for everyone then it is usable for an attack even if the user never intended to use it in the first place. Discussion by quoting out of context ... Do you have no better argument left?
The sky is falling.
Were it not for this long discussion, no way when the HPFS in my fstabs stops autoloading would I have known why or what to do about it. Bugs between Linux and OS/2 filed too many moons ago to remember remain open, so I wouldn't expect any new problem arising from throwing out something old, reliable and well tested in favor of somebody's "improved" replacement to have a solution.
And they are unfixed why? Because the piece of software is not maintained. And and there you are raving about old things in use for decades because they just work ...
I'm not expecting anything to change on account of what I say, mainly trying to get some sense of the real world potential risk without first having to become a competent programmer. This seems like just another case of expending resources to fix what ain't broke instead of what is known broke, or the government standard attacking symptoms instead of disease.
If you cannot and don't want to understand it then you should trust in the experts that tell you it is broken ... or maybe you want to hire a snake oil merchant that fixes it for you instead? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org