[FFmpeg-devel] [PATCH] Fix compilation on OpenBSD

Michael Niedermayer michaelni
Fri Nov 21 12:58:32 CET 2008 

On Fri, Nov 21, 2008 at 11:51:06AM +0300, Andrew Savchenko wrote:
> Hi,
> 
> On Thursday 20 November 2008 11:00, Michael Niedermayer wrote:
> > On Wed, Nov 19, 2008 at 08:10:07PM -0500, The Wanderer wrote:
> > > Michael Niedermayer wrote:
> [...]
> > > > Now one has to wonder why outdated software is supposed to
> > > > be more secure ...
> > >
> > > More secure than more recent software? It probably isn't.
> 
> This highly depends on security policy and a lot of other factors. 
> There are two extremities: to use only old, definitely stable and 
> verified with ages versions, and to be always on the leading edge 
> with the most advanced security innovices and updates made so 
> frequently, that no attacker will be able to use any publishly 
> known security issues. And there are plenty of varieties in 
> between, afaik the most oftenly used approach is the first 
> extrimity mentioned with the exception for security updates.

there is no "definitely stable and verified with ages versions"
for any non trivial piece of code.

"verified with ages" just means it works fine for all inputs encountered
and likely will continue to do so as long as nothing major changes in the
inputs
that doesnt say what will happen if someone reads the code and constructs
specific input for an exploit or what will happen when someone tries
an exploit from the leading edge version against the old code.

In practice IMHO, your best hope with old software is that an attacker
will fail to guess the exact version and thus a few addresses in her
exploit will be off and it will just crash your server.
And of course chances are your server is not important enough for
anyone to invest more than a little time.

It might be different if all securty fixes where backported to old
versions but that just doesnt happen for anything for which ive followed
development closely.
This though would still require you to regularly update to the patched
versions (which if i understood you correctly you cant do before febuary)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20081121/875c3f39/attachment.pgp>

More information about the ffmpeg-devel mailing list