On 2025-10-31 17:03:47 +0100, Nicolas George wrote: > Vincent Lefevre (HE12025-10-31): > > You would have seen that there is potential denial of service > > (process crashes). > > At worst, true. It is a mistake to lump denials of service together with > real security flaws. For starters, is is possible to deny service by the > virtue of being bigger than the target, without any flaw in the target. > > > Worse, Fabio Degrigis could trigger a SIGSEGV on a memcpy: > > > > https://www.openwall.com/lists/oss-security/2025/10/18/4 > > > > which would mean a bad pointer or buffer overflow. > > → a crash.
Bad pointers and buffer overflows can have worst effects than just a crash. And even if this is just a crash, this can yield data loss. > > > Almost all software runs on Windows or Macos. So what? > > Here we're on Debian. > > You have not answered: so what if most software does something? Is it > supposed to imply that it is a good thing? Personally, I think that the fact that almost all software runs on Windows or Macos is a good thing, as long as they run on Linux too (otherwise I do not care). This means more users, thus tends to increase the interest and the number of developers, which benefits all users, including Debian one. > > This is silly. > > Absolutely not. In terms of security and stability, there is no > difference between a package that you have not installed because you > have chosen not to install it and a package that you have not installed > because it is not available. The point is that I want to install some package (which would be perfectly fine without the dependency). Telling me not to install it is just silly. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
