From owner-freebsd-security  Wed Jun 26 17:34:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66])
	by hub.freebsd.org (Postfix) with SMTP id A505E37BF80
	for <freebsd-security@freebsd.org>; Wed, 26 Jun 2002 16:26:47 -0700 (PDT)
Received: (qmail 59750 invoked by uid 3338); 26 Jun 2002 21:40:05 -0000
Date: Wed, 26 Jun 2002 17:40:05 -0400
From: Travis Cole <kelp@plek.org>
To: Petr Swedock <petr@blade-runner.mit.edu>
Cc: freebsd-security@freebsd.org
Subject: Re: Wow
Message-ID: <20020626214005.GC53981@ainaz.pair.com>
References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <867kklaneg.fsf@blade-runner.mit.edu>
User-Agent: Mutt/1.3.25i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 26, 2002 at 02:46:31PM -0400, Petr Swedock wrote:
> 
> I'll be rethinking my use of OpenSSH for the very same 
> reason. You're not my dad, my cop, my priest, my lawyer
> or firefighter. NOR are you the Unix version of 'install 
> wizard'. I expect code from you. That's it. Write code.

I was thinking the same thing a few hours ago.  But I've since
changed my mind.

> I don't expect paternalism, risk assesments, restrictions,
> regulations or even the time of day.  I have no concern 
> for what you think my risks are NOR your preferred method 
> of ameliorating those risks. Write the fucking code. I ask 
> for no warrantee. I don't call you with help desk questions. 
> Write the code and get down off that extremely high horse
> before you hurt yourself.

I think Theo and the OpenSSH team did the right thing here.

But, unfortunatly things didn't work out so well :(

No one knew this was coming.  So they had the oportunity to minimize
the impact by urging people to upgrade to a new version of
OpenSSH which would mitigate the problem.  All before any of the 
bad guys knew what the problem was.

We knew a source fix was coming, so we could choose to wait for that or
install 3.3 with privsep and run it for a week then upgrade again.

Through an unfortunate string of circumstance this whole thing got
ugly.  I got pissed off, a lot of others got pissed off.

Here is how I see it.   The cold hard truth.

What Theo and the OpenSSH team did was the right thing.

Unfortunatly they didn't use the best words to express what was needed.
I think thats whats really pissing people off.  Not what they did, but
how they said it.

I feel a lot better about things now that I've realized that.

And then of course there is ISS...  I don't have any good words to
say about them.

-- 
-tcole

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message