Date: Mon, 31 Jul 2017 15:48:19 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: DefCon lecture BSD Kern Vulns Message-ID: <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> In-Reply-To: <86y3r4ubvx.fsf@desk.des.no> References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smørgrav wrote: > Dirk Engling <erdgeist@erdgeist.org> writes: >> have those findings officially been reported? Is someone working on >> them? > Speaking as a secteam member but not on behalf of so@, we are aware of > these issues but did not get sufficient advance notice to fix them in > time for DefCon. > > DES After reading the presentation a few minutes ago... I'm going to say the obvious.... He has a point. .. now to add something more helpful .. :) People should talk between, and maybe people should put security and co-operation before pride and empires... before us vs them... and I know that means its not just FreeBSD, but also NetBSD and OpenBSD people who have historically had their differences... perhaps now is the time for an olive branch? (and there is a massive 'us vs them' on IRC when it comes to OpenBSD and FreeBSD.) From a personal point of mine and on my observations I would add that Microsoft et al all went through similar issues that everyone is seeing today.. everyone wants new features, everyone wants new drivers, everyone thinks they want new releases perhaps a shift is needed in thoughts/actions when it comes to FreeBSD.... this constant push forward leaves bugs which often become security issues in old code.. 2 of the highlighted bugs in the presentation were introduced in 8.1... In the past I opened filesystem bugs against 9.x (think it was 9.2 then 9.3 for one of the bugs)... however it was never fixed (and the one I am thinking of is "panicable" one)... in fact I predicted that what would happen would be the bug would be looked at just after 9.x was EOLd completely... and it was hilarious.. 6th Jan (IIRC) the message came through, "please replicate on a supported version" ... I haven't and I haven't submitted a single bug since.... and why would I? Perhaps we should consider a change in how we manage these things, and sorry if this message p**ses off anyone (particularly those in the Security Team) because I know you all do good work, however the whole "well you should pay for our time" argument compounds the problem, it won't get any more funds in most cases, it will just p**s people off elsewhere so you end up with less eyes looking for these issues.... this is one of the things linux has gotten right.. fix bugs no matter what and regardless, new features... different matter that's on a whim of a coder. I hope this will start a constructive conversation rather than people ignoring or worse arguing. Regards, -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84c3e9d0-3d44-b310-a946-96eb0c54e79d>