Date: Tue, 4 Feb 1997 17:58:29 -0700 (MST) From: Nate Williams <nate@mt.sri.com> To: Karl Denninger <karl@Mcs.Net> Cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), jkh@time.cdrom.com, current@freebsd.org Subject: Re: Question: 2.1.7? Message-ID: <199702050058.RAA09051@rocky.mt.sri.com> In-Reply-To: <199702050002.SAA05789@Jupiter.Mcs.Net> References: <901.855098550@critter.dk.tfs.com> <199702050002.SAA05789@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
[ Wheee....., jumping in the fray ] > > As far as I know the FreeBSD project is in the process of finding out > > how to respond to this problem. > > The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP > servers and make a PUBLIC announcement that the vulnerability has been > found. > > Period. Until the person who is responsible for the 'breakage()' has time to get the same knowledge as you, you must allow him to figure out how severe the problem is. Many/most of the FreeBSD folks have 'real' jobs, so no matter how important the problem is to you, they have to wait until they get home to go look at the alleged problem. > The problem is that the CORE team has REFUSED TO ADMIT ITS BROKEN and take > action to minimize the ONGOING damage. And yes, that means killing the > 2.1.6 CD shipments and removing the distribution from the FTP sites. Poul pointed out (and you edited out), that because of the nature of the project, it takes a couple revolutions of the world to get all of the necessary troops mustered. > RIGHT NOW. Not tomorrow, not in a week when you have a fix. > > NOW. I'm sorry, but you're not dealing with a 'NOW' organization, and no amount of yelling, screaming, kicking, or cajoling is going to change the fact that the FreeBSD Project is a 'couple 'o day' group of people. Two more days won't make *that* much difference on a release that's been out 3 months, no matter how much you want to say otherwise. *HUGE* holes in commercial OS's go months w/out fixes, and the general public finds it annoying, but not so much as to dump the vendor. > That's 10 minutes of someone's time and effort. The so-called "security > officer" should have done this INSTANTLY as soon as the exploit was posted > to the security list and the extent of the problem was disclosed. There is > absolutely no excuse for failure to do this. The security officer has a real job and a life outside of FreeBSD. He doesn't live/eat/breath FreeBSD, unlike people like you whose bread and butter are directly related to OS's such as FreeBSD. > FreeBSD doesn't HAVE a revenue problem with doing this -- you're not selling > operating systems. But you *DO* have a credibility problem now, and its > only going to get worse the longer you wait. IMHO, based on past experiences 24-48 hours won't make the difference you claim it will. Even if the distribution is yanked, there are thousands of installed sites who won't become aware of problems in the next week, and many more who won't upgrade their sites due to their own time pressures even if a 2.1.7 release existed. > On the contrary. The core team, Jordan in particular, has in fact refused > to acknowledge the severity and serious nature of this bug. He has also > refused to mitigate the damage. And he has further responded to my calls > for that action with personal insults and attacks. This is where you're over-reacting. While I agree that his 'interpersonal' skills aren't always the best (whose are?), refusing to act in your time frame != refuse to mitigate the damange and or refuse to admit the severity of the problem. People need time to react, and not all of us have taken the time to go look through every SUID program in the system and find out how they're affected like you have. Give people time to respond before going ballistic. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702050058.RAA09051>