[cap-talk] DJB on Least Privilege

[David Molnar]

On 11/3/07, Mark Miller <erights at gmail.com> wrote:
>
> On Nov 3, 2007 1:35 PM, Jonathan S. Shapiro <shap at eros-os.com> wrote:
>
> > All of which reminds me of an orthogonal point: people use the cost of
> > legacy repair as an excuse to do nothing, and routinely ignore the fact
> > that new programs naturally replace old at a surprisingly rapid pace.
> > This raises the question: why are we (i.e. the field, and particularly
> > academia) not focusing much greater attention on improved
> > software/security engineering for virgin programs?
>
>
> I just wanted to say that this is an excellent point that should be
> shouted from the rooftops.
>
> Do any of us here, by any chance, know of any kind of quantitative data
> regarding how rapid this pace of replacement is, in any important context?
>

I haven't computed it, but you could look at the list of packages in the
"default" installation of different versions of a Linux distribution and see
how often additional programs are added or deleted that fill the same
function. This doesn't exactly tell you the replacement rate, unless there
was only one program that filled such a function and it was replaced, but it
is a place to start. You'd then want to check that the new program is not
just a renaming of a previous program, of course (e.g. gaim --> pidgin), and
eventually correct for code that may be shared between the two programs (e.g.
a
new image editor may have copied broken jpg or TIFF code from an old one).

One thing that came to mind when reading your message was the replacement of
xfree86 with x.org in several distributions. As I look into it, though, this
doesn't seem to count, since x.org forked from xfree86 and isn't a virgin
program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20071104/828926d0/attachment.html