by mail.netbsd.org with SMTP; 23 Oct 2000 18:59:02 -0000
	by mail-green.research.att.com (Postfix) with ESMTP
	id 71DD81E008; Mon, 23 Oct 2000 14:59:01 -0400 (EDT)
	by postal.research.att.com (8.8.7/8.8.7) with ESMTP id OAA22002;
	Mon, 23 Oct 2000 14:59:00 -0400 (EDT)
	by smb.research.att.com (Postfix) with ESMTP
	id 614DF35DC2; Mon, 23 Oct 2000 15:03:49 -0400 (EDT)
From: "Steven M. Bellovin" <smb@research.att.com>
To: Trevor Johnson <trevor@jpj.net>
Cc: Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>,
	Paul Hoffman <phoffman@proper.com>, tech-pkg@netbsd.org,
	tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities? 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 23 Oct 2000 15:03:48 -0400
Message-Id: <20001023190349.614DF35DC2@smb.research.att.com>

In message <Pine.BSI.4.21.0010231447310.7996-100000@blues.jpj.net>, Trevor John
son writes:
>Hubert Feyrer wrote:
>
>> On Mon, 23 Oct 2000, Trevor Johnson wrote:
>> > I notice this in FreeBSD's ports/mail/pine4/Makefile,v:
>> <deleted>
>> 
>> That's nice. We're NetBSD. Pleased to meet you! :-)
>
>The remark pertains to the PINE distfile.  If UW magically sends different
>sources when NetBSD users download PINE, then it makes sense that you
>dismiss the remark.  Otherwise, it does not.

More to the point, the general thrust of the comment -- that any 
program with that many uses of known-dangerous functions -- is unlikely 
to be correct applies on any host.

		--Steve Bellovin