From owner-freebsd-chat Wed Sep 4 14:16:54 1996 Return-Path: owner-chat Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA03132 for chat-outgoing; Wed, 4 Sep 1996 14:16:54 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA03119 for ; Wed, 4 Sep 1996 14:16:49 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id PAA02488; Wed, 4 Sep 1996 15:16:29 -0600 (MDT) Date: Wed, 4 Sep 1996 15:16:29 -0600 (MDT) Message-Id: <199609042116.PAA02488@rocky.mt.sri.com> From: Nate Williams To: Theo de Raadt Cc: nate@mt.sri.com, terry@lambert.org, dg@root.com, darrend@novell.com, chat@freebsd.org Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply In-Reply-To: <9609042100.AA12246@theos.com> References: <9609042100.AA12246@theos.com> Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > 2) Nate, you are essentially behind a firewall: Darn right. And, you aren't connecting to my box, but SRI-Menlo Park. I don't live in Menlo Park, but in Montana. :) > [cvs net 124 ]# telnet !$ > telnet sneezy.sri.com > Trying 128.18.40.6... > Connected to sneezy.sri.com. > Escape character is '^]'. > Connection closed by foreign host. > [cvs net 125 ]# rpcinfo -p !$ > rpcinfo -p sneezy.sri.com > ^C (timed out) > [cvs net 126 ]# showmount -e !$ > showmount -e sneezy.sri.com > ^C (timed out) > > Now why would I want to go releasing bugs that are in my system? > Perhaps I should go releasing bugs that are in YOUR system. I'd prefer knowing about everyone knowing about the bugs in my system vs. me not knowing and some others knowing (possibly hackers). Full disclosure of the bugs is *ALWAYS* better than partial disclosure, ie; I know something you don't know. > Ok, I know a bug in your system. Judging by the version, your > sendmail has at least one exploitable remote root hole. Shall I > continue? Sure, go ahead. You don't know my system, and you assume too much. > We gain nothing from telling the world what these holes are. You gain the ability to 'prove' that your system is more secure by statements other than "it's more secure". When Marcus Ranum (formerly of TFS) states his system is secure, I believe him because of his track record. You don't have one positive or negative since OpenBSD has virtually no track record. We have to trust that what you're saying is true, and trust is something that is earned, not implicitly given. You haven't earned my trust. > Not that > you guys ever really asked nicely, or made it easy for me to help. > Hmm.. not saying I would, either. I'm very busy. We are preparing for > a release. All *anyone* has asked (in Usenet and other forms) is that you disclose the security problems. You (and others) took the time to find them, and check to see if they existed in other OS's. That's more work than simply doing: $ mail -s "RDIST is full of holes, check out OpenBSD sources" \ security@FreeBSD.org > Damn rights. "John, can you write us up a set of detailed > instructions for how to drop your VM system into our kernel?" > I think John has better things to do; so do I. Integrating the VM is alot more difficult than sending an email message stating that the VM system is buggy. > Early along our quest for greater security (which was spawned by an > attack on my machine by someone who modified a file only the NetBSD > people would have wanted modified) I did report a security problem to > the FreeBSD security maintainer, about a hole to look at, I did not > get a reply. Stuff happens, does that mean condemning the process from that point on? > Meanwhile, while merging the FreeBSD userland changes into OpenBSD I > found 4 security fixes that I had not heard of before. At least one > of those was done while OpenBSD was already making waves in the > security community. We did not get mail about it. FreeBSD can expect > the same. Paul Traina has only recently taken on the organization of the security of FreBSD. Our previous security dude went Nate