From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 04:34:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CA5CDF52 for ; Sun, 20 Apr 2014 04:34:57 +0000 (UTC) Received: from bcnetw2.asu.edu (bcnetw2.asu.edu [149.169.2.72]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "asmtp.asu.edu", Issuer "InCommon Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 95F051666 for ; Sun, 20 Apr 2014 04:34:57 +0000 (UTC) X-ASG-Debug-ID: 1397968495-064f8d1de96ebba0001-2RkMqc Received: from exhubw02.asurite.ad.asu.edu (exhubw02.asurite.ad.asu.edu [129.219.4.200]) by bcnetw2.asu.edu with ESMTP id hDDCocKMCVafOuE4 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO); Sat, 19 Apr 2014 21:34:55 -0700 (MST) X-Barracuda-Envelope-From: Brandon.Vincent@asu.edu X-Barracuda-Apparent-Source-IP: 129.219.4.200 X-ASG-Whitelist: Client Received: from EXMBW03.asurite.ad.asu.edu ([169.254.10.154]) by exhubw02.asurite.ad.asu.edu ([129.219.4.200]) with mapi id 14.03.0174.001; Sat, 19 Apr 2014 21:34:55 -0700 From: "Brandon Vincent (Student)" To: Mikhail , "freebsd-security@freebsd.org" Subject: RE: De Raadt + FBSD + OpenSSH + hole? Thread-Topic: De Raadt + FBSD + OpenSSH + hole? X-ASG-Orig-Subj: RE: De Raadt + FBSD + OpenSSH + hole? Thread-Index: AQHPXDpjgQXq/GHN40GC7qnqTu79jJsZ6nMI Date: Sun, 20 Apr 2014 04:34:54 +0000 Message-ID: <586745645D88D740AF5C0346EF5AB800169AE8D4@exmbw03.asurite.ad.asu.edu> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org>,<535326fa.ab7281.696ea278@edge> In-Reply-To: <535326fa.ab7281.696ea278@edge> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.219.4.240] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Barracuda-Connect: exhubw02.asurite.ad.asu.edu[129.219.4.200] X-Barracuda-Start-Time: 1397968495 X-Barracuda-Encrypted: AES128-SHA X-Barracuda-URL: http://149.169.2.72:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at asu.edu X-Barracuda-BRTS-Status: 1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 04:34:58 -0000 It seems like this attitude will provide fuel to the argument that open-sou= rce software is inherently less secure.=0A= =0A= I'm surprised that SSH Communications Security hasn't used these posts yet = as an argument to why their product is more secure.=0A= =0A= Brandon Vincent=0A= ________________________________________=0A= From: owner-freebsd-security@freebsd.org [owner-freebsd-security@freebsd.or= g] on behalf of Mikhail [mp39590@gmail.com]=0A= Sent: Saturday, April 19, 2014 6:46 PM=0A= To: freebsd-security@freebsd.org=0A= Subject: Re: De Raadt + FBSD + OpenSSH + hole?=0A= =0A= >On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote:=0A= >> Matt Dawson wrote:=0A= >>=0A= >>> My first thought when I saw this was "ego over ethics," which says more= =0A= >>> about Theo than FreeBSD.=0A= >>=0A= >> Totally.=0A= >>=0A= >> I know Theo has a reputation for being 'difficult', but in my opinion,= =0A= >> this outburst really calls into question his perceived motivations=0A= >> regarding secure software.=0A= >>=0A= >> As to the specific question, I don't think his ego would allow a bug=0A= >> in openssh to persist, so even if it does, I'd suspect it's not too=0A= >> serious (or it's non-trivial to exploit), and it's related to FreeBSD=0A= >> produced 'glue'.=0A= >>=0A= >> This is total guesswork on my part, but I'd therefore assume he was=0A= >> talkining about openssh in base, rarther than openssh-portable in=0A= >> ports.=0A= >>=0A= >=0A= >As the maintainer of the port I will say that your security decreases=0A= >with each OPTION/patch you apply. I really would not be surprised if one= =0A= >of the optional patches available in the port had issues.=0A= =0A= I believe that Theo just browbeat. Reasons? It was looooong ago, I think=0A= very few still remember, but Theo definitely does:=0A= =0A= http://lists.freebsd.org/pipermail/freebsd-security/2005-March/002719.html= =0A= _______________________________________________=0A= freebsd-security@freebsd.org mailing list=0A= http://lists.freebsd.org/mailman/listinfo/freebsd-security=0A= To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"= =0A=