Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

greg(at)CopelandConsulting(dot)Net (Greg Copeland) wrote

> Time and time again I've read what basically amounts to, "...if someone
> can crash it it's because someone is stupid enough to allow someone to
> be able to do it in the first place..." Maybe you're right. After all,
> if core developers continue to turn a blind eye to such issues, they are
> in fact, the facilitators of allowing people to do it to begin with.=20
> That is, they are the ones that allowing people to do it in the first
> place. In short, every time I see that response, I immediately think,
> "...now that's the pot calling the kettle black."
>
> At some point in time, you have to stand and say, "the buck stops here."
>

I agree here, but at the same time you cannot put 100% of the
responsibility on the developers. If you are the dba/sysadmin/whatever/etc
then it is your responsibility. It is up to you to know about potential
problems and have workarounds or whatever it is you need to do. I think
that is one of the things that seperates a "good" admin from a "not-so-
good" one.

Afterall, when your boss calls you into his office monday morning and asks
for a really good explanation for why the db was cracked, I dont think he
is going to accept the excuse "this guy, you dont know him but his name is
tom lane.. well anyway, he didnt fix this bug i knew about so i didnt do
nothing about it because i shouldnt have to because that would be like the
pot calling the kettle black"

That being said, I do agree the developers should give things like this
more priority. But, its open source... so you either live with it or
write your own patch.