Re: LYNX-DEV Re: ...vulnerability in Lynx...

[Scott McGee (Personal)]

address@hidden (Larry W. Virden, x2487) writes:
>
>Perhaps the best approach is for configure to set a flag indicating
>sticky directories or not.  Then, in lynx, 
>if sticky directories supported, but the directory to be used isn't sticky
>       lynx won't run.

Come on now! Lynx isn't some DOD hyper sensitive program with top secret
data that should only be run in a ultra secure environment, it is a web
browser. It should attempt to run in any environment it is asked to. If the
system Lynx is run or compiled on is noticably insecure, then _AT MOST_ it
should issue a polite, ignorable notice, and then continue to run.

Suppose Joe Blow out there has just installed Lynx on his PC. He's heard
that Lynx is fast and has a slow modem so gives it a try. His inexperience
with Linux causes him to have his system set up insecurely. Lynx refuses to
run. Joe now says "screw this crap" and gets netscape. Boy, we sure helped
him a lot!

Lynx SHOULD try to run as securely as possible in whatever environment it is
run in. 

Lynx SHOULD NOT try to enforce any type of security measures outside itself.

Lynx SHOULD politely and gently notify the user of a severe security problem
if it detects one in the process of trying to run securely.

Lynx SHOULD NOT refuse to run until it is fixed.

Lynx SHOULD browse the web efficiently and correctly.

Lynx SHOULD NOT create security problems

Here is my bottom line view. If the problem being discussed is inherent to
Lynx, it should be fixed. If, however, it is inherent to the way the OS is
configured, and just something that Lynx makes easier to take advantage of,
then Lynx should try to do its best to avoid making itself usefull in taking
advantage of this problem as long as that doesn't interfere with its primary
function. At the bottom line, Lynx is a browser, and should worry about 
browsing. If the underlying system is insecure, that is not Lynx's fault and
we shouldn't worry overly about it. If the fix is easy and not detrimental
to Lynx's primary function, yes, we should fix it. If it depends on OS hacking
to fix, then Lynx should AT MOST let the user know there is a potential
problem (though that could arguably be letting the WRONG party know!). Leave
OS problems to CERT and others, and lets get on with browsing as well as we
can without increasing security problems.

Scott

Scott McGee: Salt Lake Community College Webmaster | When in danger,
___________________________________________________| or in doubt,
Email: address@hidden (Scott McGee)         | run in circles,
Web:   http://www.slcc.edu/infotech/webmaster.html | scream and shout.
----------------------------------------------------------------------
My opinions do not necessarily reflect those of the College. Trust me!
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;