From owner-freebsd-current Tue Feb 4 16:02:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA25637 for current-outgoing; Tue, 4 Feb 1997 16:02:21 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA25626 for ; Tue, 4 Feb 1997 16:02:17 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id SAA07471; Tue, 4 Feb 1997 18:02:10 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id SAA05789; Tue, 4 Feb 1997 18:02:10 -0600 (CST) From: Karl Denninger Message-Id: <199702050002.SAA05789@Jupiter.Mcs.Net> Subject: Re: Question: 2.1.7? To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Date: Tue, 4 Feb 1997 18:02:09 -0600 (CST) Cc: karl@Mcs.Net, jkh@time.cdrom.com, current@freebsd.org In-Reply-To: <901.855098550@critter.dk.tfs.com> from "Poul-Henning Kamp" at Feb 5, 97 00:22:30 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In message <199702042206.QAA01949@Jupiter.Mcs.Net>, Karl Denninger writes: > Hi Karl! Hi Paul. > >In other words, you don't like opposing points of view. > > We don't mind opposing views one bit. > > What we >do< mind is people who can >only< talk in extreemes and ultimatums. > > People who don't know why the middle road has to be found, because they > see the world from the trench on one side of the road. When the patient is bleeding from the arteries, there is no time to talk about middle ground. You do the triage first, THEN assess what and how to take care of the underlying problem. The problem here is that Jordan refuses to admit that the patient is already without heartbeat and bleeding to death on the table. > People who lack the ability to "see it from the other partys side" is > right there on the list too btw. On the contrary. I have been VERY patient and reasonable with the MULTITUDE of gratuitous changes and serious problems (including NFS related ones) that are in -CURRENT and other branches of the tree. I've done considerable work to get around some of those, and just live with the others. > You would get much more of your usually not entirely unreasonable > suggestions through if you communicated them in a civilized manner > rather than as a monkey on caffeine. I START being reasonable. When I'm dismissed out of hand and ignored on something that is of extreme importance then its time to up the volume more than a few notches. When the other party starts getting into the whole "you're smoking crack" game then its time to give up on reasonable discourse and decide if the issue is important enough to persue. In this case, it is. Therefore, I'm persuing it with all available means at my disposal and will do so until its resolved. > As far as I know the FreeBSD project is in the process of finding out > how to respond to this problem. The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP servers and make a PUBLIC announcement that the vulnerability has been found. Period. The reason you do this is so that *MORE PEOPLE DO NOT GET HURT*. Again, Paul, I'm not demanding this because I'm one of the people affected. Other than a paranoia-based reload which I did today prospectively, I wasn't affected in any way by this debacle. But I COULD HAVE BEEN, very easily, and that's very, very troubling to me because unless I was paying CAREFUL attention I wouldn't have known until my disks had been formatted by one of the many criminal assholes out there on the net. > Being an volounteer, spare-time, unpaid > project, we cannot just call everybody to attention and fix it in 10min > flat. We need the planet to rotate a couple of times to get people > mobilized. You're missing the point Paul. Nobody is demanding an instant fix. What I'm demanding is that you ADMIT IT IS BROKEN, and help stop people from being burned by it. You can't save the world, but you CAN mitigate further damage. You do this by WARNING PEOPLE and giving them fair notice *BEFORE* their disks get formatted or moles inserted into their systems which 99% of the admins will NEVER find. The problem is that the CORE team has REFUSED TO ADMIT ITS BROKEN and take action to minimize the ONGOING damage. And yes, that means killing the 2.1.6 CD shipments and removing the distribution from the FTP sites. RIGHT NOW. Not tomorrow, not in a week when you have a fix. NOW. That's 10 minutes of someone's time and effort. The so-called "security officer" should have done this INSTANTLY as soon as the exploit was posted to the security list and the extent of the problem was disclosed. There is absolutely no excuse for failure to do this. FreeBSD doesn't HAVE a revenue problem with doing this -- you're not selling operating systems. But you *DO* have a credibility problem now, and its only going to get worse the longer you wait. If I have to call Walnut Creek tomorrow morning and plead my case with them I will. I'll go to the wall on this, because I absolutely do not need the problems on *MY* network that come from customers who attach known-to-be- insecure machines and then come looking to us when they get hacked to little bits. I also don't need the random disruptions that we end up with when we're forced into picking up the pieces when others in the community get screwed. > If this is not good enough for you you have three choices: > 1. Pay somebody to fix it "right now!" (You can look in our > web pages for people offering services of that kind.) > 2. Do it yourself. Already did that. That's not what's under discussion here. What's under discussion is your responsibility to the entire Internet community that uses the software you publish. Not whether or not Karl Denninger got screwed and how pissed he is over that event (I didn't GET screwed). > >Is it time yet for someone else to set up yet ANOTHER source tree and > >development branch for FreeBSD? > > Now, I'm seriously confused... > > Why would you want to do that ? > > I could understand it if we refused to acknowledge and/or fix the bug, but > as far as I know that is far from the case... On the contrary. The core team, Jordan in particular, has in fact refused to acknowledge the severity and serious nature of this bug. He has also refused to mitigate the damage. And he has further responded to my calls for that action with personal insults and attacks. Now he has basically told me that the core team wants me to pack and leave. So have you (I read the rest of your note before writing this.) I have it on good authority from at least one of the core members, however, that there are other opinions on this matter -- so for right now, I'm not leaving. You ask why I want to set up another branch.... I'll tell you why: If FreeBSD's core team won't be up front about mitigating damage to other people when you find problems then I can't TRUST that I'm getting all the information being provided to you -- and that's an untenable position. What I (and I believe others) want is simple: 1) ACKNOWLEDGE security issues in a timely fashion, in public, where the ENTIRE community can see them. 2) REMOVE AFFECTED DISTRIBUTIONS when SERIOUS problems which can't be quickly fixed and verified are found until a fixed distribution can be generated. The question, obviously, is "how many other issues have been swept under the rug and not acknowledged as being serious when in fact they are?" The answer is, "I don't know". I'm not confident that the answer is "zero" or anywhere close to it. > If such is the case: Good bye & Good riddance. > > -- > Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. Be careful what you wish for... you just might get it. I've spoken by voice with one of the rational core team members in the last hour. I've given him some time to work the issues with the rest of you -- and I note, HE asked for that time -- not me. But barring some kind of RATIONAL resolution on this that I can see within the next two hours, the announcements *ARE* going out to the general Internet community (at roughly 8:00 PM tonight Chicago time). Unlike you, Poul, I believe that if I find out about something like this I owe it to the community *as one of its members* to disclose it so OTHER PEOPLE DON'T GET HURT, or at least, so they know they're at risk. Whether your FEELINGS get hurt by my doing so doesn't even enter the evaluation process. What did enter that process is giving the core team the opportunity to do it first, and take ownership and control of the problem. The Core team has refused. That doesn't change my stance one bit -- it only changes who's going to do the talking. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal