Subject: Re: What to do about unfixed vulnerabilities?
To: None <tech-pkg@netbsd.org, tech-security@netbsd.org>
From: Paul Hoffman <phoffman@proper.com>
List: tech-pkg
Date: 10/23/2000 18:24:45
At 7:57 PM -0400 10/23/00, Matthew Orgass wrote:
>On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>
>>  More to the point, the general thrust of the comment -- that any
>>  program with that many uses of known-dangerous functions -- is unlikely
>>  to be correct applies on any host.
>
>   Further, warning only about a denial of service attack when there is a
>known remote exploit is very misleading.  Pine builds should be disabled
>until there is some reason to believe that it is safe to use (as the
>comment says, not likely anytime soon). The security notice should say
>"don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>well as the comment.

I disagree with the "don't use pine" part, because...

>   I'll confess that I'm writing this from pine, not having had the chance
>to review alternatives yet.  Does anyone know of a mail client that is
>close in feel to pine to refer those of us who like pine but don't really
>want to give the world a key to our system?

There is no character-based MUA that is nearly as standards-compliant 
as pine. (Well, there are some that have many fewer features that are 
more standards-compliant, but you can figure out why....)