Re: Is Mozilla's "patch" enough?

[Aviv Raff <avivra () gmail com>]

On Mon, 12 Jul 2004 21:02:51 +0200, Florian Weimer <fw () deneb enyo de> wrote:
> * Aviv Raff:
>
> > On Mon, 12 Jul 2004 20:34:44 +0200, Florian Weimer <fw () deneb enyo de> wrote:
> > > * Aviv Raff:
> > >
> > > > Security patches shouldn't be overridden unless intended too (i.e
> > > > uninstalled).
> > >
> > > This is not standard industry practice.  Especially if a patch might
> > > break previously working configuration, I completely agree that it's
> > > correct.
> >
> > That's why there should be a way to uninstall the patch, as I wrote.
>
> This requires that you have individual patches for each vulnerability,
> something that is often practically impossible (because of
> combinatoric explosion) and is a support nightmare if it is possible.

That's why from time to time there should be a cumulative patch (aka
Service Pack).

> Those vendors supplying source code are far better off in this area.
> You simply pick the parts you like and recompile your own version.

You really think that those people who don't know how to use the
configuration files, will know how to recompile their own version?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html