From owner-freebsd-hackers Fri Oct 18 23:34:40 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA21576 for hackers-outgoing; Fri, 18 Oct 1996 23:34:40 -0700 (PDT) Received: from zeus.theos.com (zeus.theos.com [199.185.137.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA21550; Fri, 18 Oct 1996 23:34:32 -0700 (PDT) Received: from LOCALHOST.theos.com (LOCALHOST.theos.com [127.0.0.1]) by zeus.theos.com (8.8.Beta.2/8.8.Beta.1) with SMTP id AAA29148; Sat, 19 Oct 1996 00:34:23 -0600 (MDT) Message-Id: <199610190634.AAA29148@zeus.theos.com> X-Authentication-Warning: zeus.theos.com: LOCALHOST.theos.com [127.0.0.1] didn't use HELO protocol To: dyson@freebsd.org cc: downsj@teeny.org (Jason Downs), ache@nagual.ru, dg@root.com, gritton@byu.edu, freebsd-hackers@freebsd.org, tech-userlevel@netbsd.org, misc@openbsd.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c In-reply-to: Your message of "Sat, 19 Oct 1996 01:26:31 CDT." <199610190626.BAA02729@dyson.iquest.net> Date: Sat, 19 Oct 1996 00:34:14 -0600 From: Theo de Raadt Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Ah, yes. I've been watching this thread with some amount of amusement, as > > have other OpenBSD developers. > > > > Yes, please back it out. I would rather have OpenBSD remain the most secure > > version of UNIX that money can't buy. > > > > The THING about OpenBSD security is pretty much unsubstantiated. I think > that it is kind of funny (odd)... Very few outside of OpenBSD have been > provided with any kind of digest as to the security fixes... Sounds like > marketing claims to me!!! > > Additionally, that "fix" was simply the wrong thing to do, and there are > better ways to deal with the problem. If the zeroing the buffer in db > was typical of the ways that others are "fixing" security, well... Sad... :-(. Ah John, ever eager to continue a flame war aren't you. In fact, I think a lot of you need to do a bit more homework and check a few more programs in the source tree to see if you guys have caught all the cases. Quite frankly the coredump story is not over, and there's a few other things you should really think of. But you people are so ready and eager to flame, so you are on your own. You'll see nothing more about this from me, here. See you guys in bugtraq, if any place at all.