by mail.netbsd.org with SMTP; 24 Oct 2000 01:27:27 -0000
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA01880;
	Mon, 23 Oct 2000 18:21:49 -0700 (PDT)
Mime-Version: 1.0
Message-Id: <p05010425b61a94955bc2@[165.227.249.17]>
In-Reply-To: <Pine.BSI.3.96.1001023192246.18894A-100000@doit.pgh.net>
References: <Pine.BSI.3.96.1001023192246.18894A-100000@doit.pgh.net>
Date: Mon, 23 Oct 2000 18:24:45 -0700
To: tech-pkg@netbsd.org, tech-security@netbsd.org
From: Paul Hoffman <phoffman@proper.com>
Subject: Re: What to do about unfixed vulnerabilities?
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

At 7:57 PM -0400 10/23/00, Matthew Orgass wrote:
>On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>
>>  More to the point, the general thrust of the comment -- that any
>>  program with that many uses of known-dangerous functions -- is unlikely
>>  to be correct applies on any host.
>
>   Further, warning only about a denial of service attack when there is a
>known remote exploit is very misleading.  Pine builds should be disabled
>until there is some reason to believe that it is safe to use (as the
>comment says, not likely anytime soon). The security notice should say
>"don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>well as the comment.

I disagree with the "don't use pine" part, because...

>   I'll confess that I'm writing this from pine, not having had the chance
>to review alternatives yet.  Does anyone know of a mail client that is
>close in feel to pine to refer those of us who like pine but don't really
>want to give the world a key to our system?

There is no character-based MUA that is nearly as standards-compliant 
as pine. (Well, there are some that have many fewer features that are 
more standards-compliant, but you can figure out why....)