From owner-freebsd-chat Wed Sep 4 12:10:33 1996 Return-Path: owner-chat Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA27365 for chat-outgoing; Wed, 4 Sep 1996 12:10:33 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA27360 for ; Wed, 4 Sep 1996 12:10:31 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id MAA07109; Wed, 4 Sep 1996 12:05:12 -0700 From: Terry Lambert Message-Id: <199609041905.MAA07109@phaeton.artisoft.com> Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply To: nate@mt.sri.com (Nate Williams) Date: Wed, 4 Sep 1996 12:05:12 -0700 (MST) Cc: terry@lambert.org, dg@root.com, nate@mt.sri.com, darrend@novell.com, chat@FreeBSD.org In-Reply-To: <199609041735.LAA00851@rocky.mt.sri.com> from "Nate Williams" at Sep 4, 96 11:35:36 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-chat@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > An alternate approach to the problem of finding out what the security > > fixes are would be to ask their CVS log. This is permitted, encouraged, > > and has the side effect of removing the moral coloring from the answer > > you receive. > > And also it a lot more (completely un-necessary) work. > > Theo: > I fixed a security bug in OpenBSD that exists in every other OS known to > man, but I'm not telling you where in the system it is. But, it's a > baaaad bug, and you should be very scared of it. > > Response: > > # cvs co src > # find . -type f -print | xargs cvs log > > Look through *every* single file in the system looking for 'security' > fix, which may/may not be logged as such to deter any casual observer > from seeing the bug, thus 'disclosing' the bug and making other systems > vulnerable because of OpenBSD's 'partial disclosure' policy. >From his perspective, translating the information from the useful form it is in into a textual description that can be exported to NetBSD/FreeBSD is "a lot more (completely un-necessary) work". I have found that it requires convincing a core team member to get a change into the tree. It is irrelevent to the process that the code is good code before the core team member understands it, or that the core team members understanding somehow ennobles the previously savage code. The point is that it is wrong to fault Theo for not taking on the task of putting it in a form suitable to pass the NetBSD and FreeBSD "not invented here" rejection filters. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.