Date: Wed, 4 Sep 1996 12:05:12 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: nate@mt.sri.com (Nate Williams) Cc: terry@lambert.org, dg@root.com, nate@mt.sri.com, darrend@novell.com, chat@FreeBSD.org Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply Message-ID: <199609041905.MAA07109@phaeton.artisoft.com> In-Reply-To: <199609041735.LAA00851@rocky.mt.sri.com> from "Nate Williams" at Sep 4, 96 11:35:36 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > An alternate approach to the problem of finding out what the security > > fixes are would be to ask their CVS log. This is permitted, encouraged, > > and has the side effect of removing the moral coloring from the answer > > you receive. > > And also it a lot more (completely un-necessary) work. > > Theo: > I fixed a security bug in OpenBSD that exists in every other OS known to > man, but I'm not telling you where in the system it is. But, it's a > baaaad bug, and you should be very scared of it. > > Response: > > # cvs co src > # find . -type f -print | xargs cvs log > > Look through *every* single file in the system looking for 'security' > fix, which may/may not be logged as such to deter any casual observer > from seeing the bug, thus 'disclosing' the bug and making other systems > vulnerable because of OpenBSD's 'partial disclosure' policy. >From his perspective, translating the information from the useful form it is in into a textual description that can be exported to NetBSD/FreeBSD is "a lot more (completely un-necessary) work". I have found that it requires convincing a core team member to get a change into the tree. It is irrelevent to the process that the code is good code before the core team member understands it, or that the core team members understanding somehow ennobles the previously savage code. The point is that it is wrong to fault Theo for not taking on the task of putting it in a form suitable to pass the NetBSD and FreeBSD "not invented here" rejection filters. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609041905.MAA07109>