On Thu, 2009-11-05 at 17:33 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 11:52:52 Brian K. White wrote:
What rock have you been living under?
The one where you learn how to read.
I did not in any way talk about the differences between open source and closed source, don't try to make my statements out to be some sort of defence of closed source, because all that means is you haven't read what I wrote.
Your arguments hinge on there being essentially no difference between the two, that any problems would exist equally in each, be equally dangerous or not, be equally fixable or not, be equally likely to be fixed or not, on the same time scale. Which is a ridiculous thing to say.
All I said was that if there is a bug in the flash software, the presence or absence of the cache is completely irrelevant.
That's a pretty amazing statement. How do you figure? The OP's point was that, you cannot know what the magic black box is doing with that cache, and, that that cache can do things that an ordinary cookie can not. It's pretty hard to store a binary executable in 4k plain text cookies. And it's pretty hard to get any open source browser to do such a thing as download and execute a binary without the user knowing. But 100k up to unlimited blob of binary data, solely managed and used by a black box you can't see inside of? This is all the difference in the world. The two things are in no way equivalent. Yes the binary can only do things that the user can do, but, that is rather a lot. The user can read all of his own files and can access the internet. How is that not a dangerous combination of things to put in the hands of an unauditable binary? Especially as in this case, where the binaries actions are not really all the responsibility of the author, or the end user, but unknown outsiders who can put things on web sites that can make use of the flash plugin. Yes there are ways to inspect and sandbox and block a black box mystery binary but it's impractical to take those measures for every binary on your system, so you do have to have some reason for your suspicion to be alerted that a binary warrants scrutiny. The things they described about what the flash plugin could do, and further, what it has been observed actually doing, are just exactly that flag. I don't see what is invalid about the original post that raised the issue. It's exactly the correct and normal procedure. You start out assuming the proprietary binary author is above board and so you trust them and use their binary until you have some reason to suspect things might not be cool. The reason to suspect has come along, and the response was entirely appropriate. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org