From owner-freebsd-security@FreeBSD.ORG Fri Aug 11 16:53:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F41816A4DA for ; Fri, 11 Aug 2006 16:53:50 +0000 (UTC) (envelope-from morganw@chemikals.org) Received: from ms-smtp-02.southeast.rr.com (ms-smtp-02.southeast.rr.com [24.25.9.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9D3C43D4C for ; Fri, 11 Aug 2006 16:53:49 +0000 (GMT) (envelope-from morganw@chemikals.org) Received: from volatile.chemikals.org (cpe-024-211-118-154.sc.res.rr.com [24.211.118.154]) by ms-smtp-02.southeast.rr.com (8.13.6/8.13.6) with ESMTP id k7BGrXIT006059; Fri, 11 Aug 2006 12:53:33 -0400 (EDT) Received: from localhost (morganw@localhost [127.0.0.1]) by volatile.chemikals.org (8.13.6/8.13.6) with ESMTP id k7BGrXIZ077467; Fri, 11 Aug 2006 12:53:33 -0400 (EDT) (envelope-from morganw@chemikals.org) Date: Fri, 11 Aug 2006 12:53:33 -0400 (EDT) From: Wesley Morgan To: =?iso-8859-1?Q?Jos=E9_M=2E_Fandi=F1o?= , freebsd-security@freebsd.org In-Reply-To: <38802.1155288265@critter.freebsd.dk> Message-ID: <20060811123921.K43265@volatile.chemikals.org> References: <38802.1155288265@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: Subject: Re: atheros chips dangerous? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2006 16:53:50 -0000 On Fri, 11 Aug 2006, Poul-Henning Kamp wrote: > In message <44DC47D7.2050908@fadesa.es>, =?ISO-8859-1?Q?=22Jos=E9_M=2E_Fandi=F1 > o=22?= writes: > >>> Sam compiled those binaries, he has the source code. >>> >> And it is a matter of trust. >> >> from the phk's comments I deduce that it was a NDA between Atheros >> and FreeBSD. > > The NDA is between Atheros and Sam Leffler. > >> In my opinion the difference is that with NDA you place trust in >> a few persons (the ones with the code), whilst with open source >> drivers the code can be reviewed by all people with enough >> knowledge about the subject and since peer review is an important >> concept in FOSS quality (and security) it would be desirable >> to have free code. > > While that is certainly true, I also feel that the fact that > Atheros has actively tried to work with the FOSS people to get > a good driver should be credited to them. > > Other vendors have been totally impossible to work with. I agree, the Atheros driver is fantastic. The driver may be "binary" in some ways, but I think we got the best of both worlds. The vendor is providing every scrap of information necessary without having to give away trade secrets, and FreeBSD got a driver authored by a developer who is probably one of the most qualified people in the world to work on it. I know I go out of my way to purchase and recommend Atheros-based wireless devices because of this. Anyone who simply makes the blanket assumption that because something is "FOSS" that it gets more peer review need only to look at some of the oldest open source projects around, such as sendmail or XFree/Xorg, to realize that security problems can persist for years without being discovered. -- This .signature sanitized for your protection