Re: Is Mozilla's "patch" enough?

[Florian Weimer <fw () deneb enyo de>]

* Aviv Raff:

> On Mon, 12 Jul 2004 20:34:44 +0200, Florian Weimer <fw () deneb enyo de> wrote:
> > * Aviv Raff:
> >
> > > Security patches shouldn't be overridden unless intended too (i.e
> > > uninstalled).
> >
> > This is not standard industry practice.  Especially if a patch might
> > break previously working configuration, I completely agree that it's
> > correct.
>
> That's why there should be a way to uninstall the patch, as I wrote.

This requires that you have individual patches for each vulnerability,
something that is often practically impossible (because of
combinatoric explosion) and is a support nightmare if it is possible.

Those vendors supplying source code are far better off in this area.
You simply pick the parts you like and recompile your own version.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html