Date: Tue, 02 Jul 2002 11:41:12 +0200 From: Marc Perisa <perisa@porsche.de> To: Brett Glass <brett@lariat.org> Cc: freebsd-chat@freebsd.org Subject: Re: Low-volume list Message-ID: <3D217538.9050508@porsche.de> References: <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020702021318.00d4d740@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: >At 10:59 PM 7/1/2002, Michael Bryan wrote: > > > >>Yeah, you're right! Too bad the FreeBSD team never thought of that!!! >> >>Oh wait, they did, years ago, explaining why one of my mail folders >>contains -only- FreeBSD security announcements: >> >>http://www.freebsd.org/security/security.html#ml >> >>Sheesh. RTFM. (RTFWP?) >> >> > >CFTFWP (Couldn't find the fine Web page), I guess. > >In any event, most people seem to believe that -security is the >low volume list. If that's not its charter, then why all the >complaints when there is (horrors!) a discussion? > >--Brett > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Because the most discussions you start are _not_ _technical_. They are political. And that does not belong to the security list (like stated _clearly_ in the charter). Like this thread. If you had done your homework (that means: reading the web page and/or the handbook) you wouldn't even have started THIS thread. You are not a newbie. You call yourself a professional administrator and programmer. So act like one: Read the documentation. <my personal meaning about your quest> You are not a newbie and while you are advocating to be much more security aware (that would be nice) you mostly only talk. But as pointed out before: We all here are volunteers. So, volunteer. Think about a process and implementing it. Without losing stability - which is the main concern of FreeBSD. If you want something done - DO it. Like you did some weeks ago when you put up the binary distribution against a bug (which contained errors - you are seeing how hard these things are to get correct, aren't you?). Keep that way up, working up your ideas, providing something additional to the offical way, fully functional - and IF it become famous enough surely it will be integrated. But yelling at people who do the work patching FreeBSD and trying to keep up with the evil guys, will NOT help you nor anybody else. It will only upset people who are working hard in their spare time. And we will probably losing them - since they don't think that getting bashed was the fun they wanted to have. Try to show them something they can look at. That they can use. That they can give you credit for. I don't know if you use commercial software from vendors like HP, Oracle, IBM ... . I have to at work. And right now, THREE WEEKS AFTER the Apache bug, some vendors HAVEN't even DECIDED to patch it (like Oracle *sigh*). You were talking about that commercial vendors got things right. They don't. In most cases. </my personal meaning about your quest> <my personal meaning about your style> Why are you answering to someone who didn't get the web page with the reference right (the only one out of four that answered you via the list)? Why are you not answering the others? Only to show them their errors? We all are human. We all make errors. Why did you argue about BIND 8.2.6 not being patched against the proof that it was patched? And changed your argumentation after that BIND 9.x is still not patched? After it was said? Can you not say "Oh, I was wrong." I never saw that on a mailinglist. You are answering questions in a professional manner. Most times. But sometimes you can not confess that you were wrong. Then you act like a child who did not get what it want. Please stop that. That is what is unnerving most people. Your help with providing a binary patchset was a step in the right direction. If you continue it and do it in a way that is flexible and/or simple enough (you set the priorities) for the most of the "unexperienced" / "lazy" / <that-sort-of-user-you-want-to-reach> freebsd users that will convice people in the long time. But continue DOING it. Not arguing about that you don't have the power to change anything. People had used your binaries. But first they were flawky. You corrected this. Develop a process for setting up patched binaries which will work on -RELEASE systems. Or provide the security officer with feedback upon binary updates - they had already thought about a process. I was once willing to help - when I read your quest for the first times. But your ranting about the same thing with the same arguments everytime again without having worked on it in the meantime is pissing me off (sorry for the harsh words - but that is the fact) </my personal meaning about your style>. If you want to work on a "light-weight" release process (and that it will be) i AM willing to help. Why a "light-weight" release process? Imagine a remote exploitable bug in KDE and/or GNOME. After you have patched/updated the binary package you have to do a full QA on all (or the most) applications using that framework. That is quite time consuming. You will only have to do it for the applications which are affected - but to figure this out will also consume a lot of time. If you want some help (yes, i AM offering you that i sleep less than i even do now) i am willing. I can provide webspace, a code repository and some traffic for the framework. Ups, now I spend half an hour on that mail. Now I will go back to build that giant OpenSSH binary distribution of ours for Linux, FreeBSD, HP/UX, AIX, IRIX, ... in 32- and 64-Bit to get the rest of the framework for future "throw one package to all machines"-OpenSSH bugs. Marc PS: Brett, if you not answer you won't get help. PPS: I just learned that I should polish my english. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D217538.9050508>