On Sun, 2004-06-20 at 21:08 -0700, T. 'Nifty New Hat' Mitchell wrote: > On Sun, Jun 20, 2004 at 02:48:28PM -0500, Jeff Vian wrote: > > Rui Miguel Seabra wrote: > > >On Sun, 2004-06-20 at 16:00 +0200, Alexander Dalloz wrote: > > >>Am So, den 20.06.2004 schrieb Rui Miguel Seabra um 15:41: > > >>>proftpd has historically had many security problems (probably due to the > > >>>many more features). > > >>> > > >>Which software not? > .... > > > > > >FTP is in the same class as TELNET... obsolete, redundant, less secure, > > >etc... :) > .... > > > To some extent it is important to not be black and white on this > stuff. Almost all of the interesting tools have had serious security > bugs. At one point ssh had a bug serious enough that many sites > switched to telnet for the couple weeks that it took to get the bug > fixed and new versions distributed. > The point is that "system" managers should consider their choices and > be moderately ready to substitute one less interesting package for the > nifty new package. In making setup decisions or package selection > consider the impact of turning one off and another on and back. One of the most important rules is: if it ain't broke, don't fix it. A corolary could be: if it breaks frequently, change to something that doesn't. If you have a lare enough number of things to do, you definitely don't want to patch every half year when you can patch every two years. For what I've seen so far, proftpd seems more likely to have another security bug than vsftpd. :) Although nowhere near as frightfull as wu-* stuff ;) Rui
Attachment:
signature.asc
Description: This is a digitally signed message part