Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <ME0P300MB071302891271CE8EBFA6BBAAEEC7A@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Date: Mon, 3 Nov 2025 12:53:31 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Questionable CVE's reported against dnsmasq

Russ Allbery <eagle@...ie.org> writes:

>This is a bit of an "ask the Lazyweb" question since I have done only minimal
>research, but is there any way for me to declare, as the software maintainer,
>what I consider to be the security boundaries of the software in a way that
>can be at least partially machine-readable?

Even before getting into that, how do you document that people shouldn't do
certain things with their config files, or by extension which bits are inside
and outside the security boundary?  "If an unauthorised party can modify your
config files then bad things can happen" seems redundant, "We take no
responsibility for what happens if you fail to take unspecified steps to
secure your config files" might be correct but will be perceived as blame-the-
victim... how do you document this for users?

Peter.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.