From owner-freebsd-security@freebsd.org Mon Jul 31 14:48:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDC59DAF641 for ; Mon, 31 Jul 2017 14:48:33 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id C23867D308 for ; Mon, 31 Jul 2017 14:48:33 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0OTY00850K1S5G00@hades.sorbs.net> for freebsd-security@freebsd.org; Mon, 31 Jul 2017 06:56:17 -0700 (PDT) Subject: Re: DefCon lecture BSD Kern Vulns To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: freebsd-security@freebsd.org References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> From: Michelle Sullivan Message-id: <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> Date: Mon, 31 Jul 2017 15:48:19 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: <86y3r4ubvx.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 14:48:34 -0000 Dag-Erling Smørgrav wrote: > Dirk Engling writes: >> have those findings officially been reported? Is someone working on >> them? > Speaking as a secteam member but not on behalf of so@, we are aware of > these issues but did not get sufficient advance notice to fix them in > time for DefCon. > > DES After reading the presentation a few minutes ago... I'm going to say the obvious.... He has a point. .. now to add something more helpful .. :) People should talk between, and maybe people should put security and co-operation before pride and empires... before us vs them... and I know that means its not just FreeBSD, but also NetBSD and OpenBSD people who have historically had their differences... perhaps now is the time for an olive branch? (and there is a massive 'us vs them' on IRC when it comes to OpenBSD and FreeBSD.) From a personal point of mine and on my observations I would add that Microsoft et al all went through similar issues that everyone is seeing today.. everyone wants new features, everyone wants new drivers, everyone thinks they want new releases perhaps a shift is needed in thoughts/actions when it comes to FreeBSD.... this constant push forward leaves bugs which often become security issues in old code.. 2 of the highlighted bugs in the presentation were introduced in 8.1... In the past I opened filesystem bugs against 9.x (think it was 9.2 then 9.3 for one of the bugs)... however it was never fixed (and the one I am thinking of is "panicable" one)... in fact I predicted that what would happen would be the bug would be looked at just after 9.x was EOLd completely... and it was hilarious.. 6th Jan (IIRC) the message came through, "please replicate on a supported version" ... I haven't and I haven't submitted a single bug since.... and why would I? Perhaps we should consider a change in how we manage these things, and sorry if this message p**ses off anyone (particularly those in the Security Team) because I know you all do good work, however the whole "well you should pay for our time" argument compounds the problem, it won't get any more funds in most cases, it will just p**s people off elsewhere so you end up with less eyes looking for these issues.... this is one of the things linux has gotten right.. fix bugs no matter what and regardless, new features... different matter that's on a whim of a coder. I hope this will start a constructive conversation rather than people ignoring or worse arguing. Regards, -- Michelle Sullivan http://www.mhix.org/