From owner-freebsd-hackers Tue Feb 11 07:46:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA29396 for hackers-outgoing; Tue, 11 Feb 1997 07:46:21 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA29377 for ; Tue, 11 Feb 1997 07:46:17 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vuKJn-0006Ph-00; Tue, 11 Feb 1997 08:40:27 -0700 To: Alexander Snarskii Subject: Re: Increasing overall security.... Cc: michaelh@cet.co.jp (Michael Hancock), freebsd-hackers@freebsd.org In-reply-to: Your message of "Tue, 11 Feb 1997 16:18:19 +0200." <199702111418.QAA06995@burka.carrier.kiev.ua> References: <199702111418.QAA06995@burka.carrier.kiev.ua> Date: Tue, 11 Feb 1997 08:40:27 -0700 From: Warner Losh Message-Id: Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199702111418.QAA06995@burka.carrier.kiev.ua> Alexander Snarskii writes: : But do Theo checks : every new sendmail distribution ? Yes. He does. And he routinely applies additional tweaks the sources in OpenBSD from what I can tell. : Or did he checked all the FreeBSD : packages/ports which can use this functions and have enough privileges : to destroy your system if exploited? No. He hasn't. That's a FreeBSD thing :-). However, now that ports are part of the OpenBSD system (or at least supported), I think this may change. : Or did anybody checks it and : published patches to ones (if the holes are found) ? Often time Theo is behind the scenes and knows about these before the great unwashed masses know about them. And he fixes those problems in OpenBSD that are present. Keep in mind, as was recently pointed out to me, that just bringing in the OpenBSD patches will not make FreeBSD secure. For that a top to bottom audit of code running at elevated priviledge must be completed. The patches will tend to make FreeBSD more secure, but you won't know until after you've audited if you've grabbed everything or not. Warner