From: "Chris Robinson" 

Adam Flinton wrote:

> > From: "Geo." 
> > "Adam Flinton" 
wrote in message
> > news:509264.5140f7{at}harborwebs.com...
> >> SE Linux comes with the source rpm'es for the fedora stuff but
> seeing how >> they're not even compiled to binaries I fail to see how
> they would count
> > as
> >> applications.
> > Lets say today you have a current SE Linux CD, put it in a safe, on
> > december 31st you take it out and install everything on the cd. Now
> > if you are exploitable then those count as security issues that
> > need to be addressed.  The product is defective.
>
> Yup. & there are 2 easy ways round that:
>
> 1) If machines are in a closed network then you can maintain an up to
> date CD.
>
> 2) If the machines are allowed onto the internet (with a broadband
> connection) then you can design a distie such that the install has
> the "minimum to get you on the network" on the CD itself such that
> the chances of that part being exploitable are low. Equally it makes
> the install bit that much easier to keep up to date as per point (1).
>
> You then always install the most recent versions of the applications
> from a distribution's server when you install.
>
> > That's all I'm saying, I'm not trying to label one an OS flaw and
> > another an Application flaw because todays software has become so
> > integrated and there are so many dependencies you just can't do
> > that. You of all people should realize that a flaw in some piece of
> > portable code that's exploitable on one platform and not
> > exploitable on another forces you to view this a different way than
> > that.  Geo.
>
>
> There are dependencies but I'm not so sure stuff is so integrated as
> you make out. Sure lots of stuff depends on there being a TCP network
> stack, however that doesn't mean anything is dependant upon a
> specific implementation of a TCP stack.
>
> It's a bit like this "Service based architecture" thingy. I.e. you
> see tcp as a service of which you use a portion. Disk access &
> storage is another service etc. Do you need to care if the bits are
> on a local IDE, local SCSI, Local CD, SAN etc.etc.etc.? Nope, you ask
> an address for a stream/file & it services your request.
>
> I would say apps are actually less integrated in many ways that they
> used to be. It's been a while since a app came with it's own vid
> drivers or memory management for example (OK some games still might
> if running on Win-DOS).
>
> You have CP (Cross Platform) toolkits like say QT etc. which allow
> you to build your app to a set of common services (e.g. disk access,
> network etc) w/o bothering if the app is compiled for Linux on intel,
> linux on ppc, windows on intel etc.
>
> Adam

Or, you can boot the machine offline, put in a CD with all the patches on
and point any update software you run to the CD (depending how the distro
updates).

Chris.

--- BBBS/NT v4.01 Flag-5