From owner-freebsd-advocacy Sun Jun 4 8:51:15 2000 Delivered-To: freebsd-advocacy@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 9F81537B80D for ; Sun, 4 Jun 2000 08:51:05 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com (p23-dn01kiryunisiki.gunma.ocn.ne.jp [211.0.245.24]) by peach.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id AAA06381; Mon, 5 Jun 2000 00:50:57 +0900 (JST) Message-ID: <393A78A9.4BDA52BB@newsguy.com> Date: Mon, 05 Jun 2000 00:41:29 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Matt Heckaman Cc: Alfred Perlstein , FreeBSD-ADVOCACY Subject: Re: FreeBSD/Solaris References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-advocacy@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Matt Heckaman wrote: > > : A search on rootshell.com shows _55_ exploits for solaris and only > : 15 for FreeBSD. > > Yes, I saw that. The FreeBSD advisory directory contains 58 advisories, > alot are DoS attacks though that bit everyone. These are both facts I > mentioned and got the reply from him that "FreeBSD doesn't announce all > their security problems, it's just a PR game." bah! I think he just can't > believe that an OS doesn't have alot of security exploits :) We have the source code available, and the *HISTORY* to the source code available. Every single change in the source code has attached to it an explanation why that change was done. This is publicly available, and, in fact, http://www.freebsd.org/cgi/cvsweb.cgi/ will give you this on the web. Add to that, every time someone commits one of those changes, a message is sent to an open subscription mailing list informing which files where changed, in which branch, how many lines in each file, and with the above-mentioned explanation. If the explanation is too obscure, anyone is free to reply to it asking for clarification, something that actually happens every now and then. I _think_ we also keep archives for that list, so that anyone can check it out too. So, let's see what could be happening: 1. We find security holes, do not report them to anyone, and do not fix them so no one will notice we had them in first place. Not likely. Either others would find them, and then you'd see hacker tools to exploit them, see them appear on bugtrack or rootshell, or no one ever finds them (which implies we are safe anyway :). 2. We find security holes, do not report them ot anyone, and fix them quietly. OpenBSD has been accused of doing that, actually. :-) But given the way we advertise all our changes, and the fact that they are available for anyone to see at any time, the *whole* history, isn't it a bit unlikely that no one has ever caught us doing it? And, as a matter of fact, if we _were_ doing that, wouldn't it make sense _not_ to make all this change logs available for anyone to see? Like, for instance, Solaris? :-) I mean, it would mean we are not only sneaky and sly, but very dumb too. And, still, no one has caught us at it! :-) 3. We find security holes, report them, and explain we are fixing them while changing the code. Well, if we *were* doing that, there would be _evidence_ we were doing that, right? Right. If you go look at or cvs log, you will find instances were a change is said to being made to fix security holes. Last... check out who reported the security holes at bugtrack or rootshell. They usually come from _users_, not developers. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org capo@yet.another.bsdconspiracy.org Hmmm - I have to go check this. My reality assumptions are shattered. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-advocacy" in the body of the message