Re: Adobe Reader

[SODA Noriyuki <soda%yuruyuru.net@localhost>]

>>>>> On Mon, 01 Feb 2010 20:29:42 +0700, Robert Elz 
>>>>> <kre%munnari.OZ.AU@localhost> said:

> I don't use acrobat (acroread*) and don't care about the subject of
> this mail, but ...
> 
>   | This is not really correct, because you are ignoring risks to continue
>   | to use it.   It's is too dangerous to use acroread 4 and 5 these days,
>   | so it's far from "fine".
> 
> please don't make arguments like that.   First, I doubt that you really have
> any idea who might, or might not, be ignoring anything,

Actually I know some (although not all), because I made some private
discussion with some acroread user, he suggested that the treat is
negligible, and he would continue to use acroread. ;-/

> and second, what is "too dangerous" all depends upon a risk/benefit
> analysis of which the outcome will depend upon the risks and costs
> of each individual site, and which I doubt that you have carried out
> (for everyone).

In this case, 
- risk is certainly not zero (since there are certain risks for linux
  users, and NetBSD users have nearly same risks with linux users,
  because it's a linux binary).
- benefit is practically zero, since there are reasonable alternatives.

I don't think there is any actual user whose benefit is greater than
her/his risk.

> I am fairly sure they're not too dangerous for me, because as I
> understand it, all of the security problems with the acroread set of
> packages are relevant only if an attacker can somehow trick me into
> accessing a bogus PDF file using that application (and then they
> might be able to take over my account).  But since I don't use
> acroread (any version) for reading PDF files (and nor do my MUA nor
> browser, nor anything else),

In that case, why you need the acroread package all?
If you never use acroread, certainly it's not necessary to have
acroread in your system.

> and if I wanted to have it installed, just so I can show people
> "sure, I have acrobat, there it is, but I use ..." I don't see what the
> problem would be?  What threat do you think I'm under?

Because users of your machine might use acroread despite of your
suggestion (since you leave it installed, they might think maybe it's
ok to use it), and then their account would be cracked, and then even
your account would be cracked due to some local root hole (as you
know, it's really hard to remove all local holes from all 3rd party
packages).

Also, don't the people who look at your acroread say "ah, it's
too old and too dangerous version, what a poor man who has to
install such braindamaged version on his system"? ;-)
Showing too old version of acroread is not benefit at all, but
just shame.

If I really want to show people that my machine can run acroread,
either
- I'll port acroread 9 to NetBSD
or
- I'll show acroread 9 on linux on qemu (or something) on NetBSD.
-- 
soda