Date: Wed, 4 Sep 1996 15:16:29 -0600 (MDT) From: Nate Williams <nate@mt.sri.com> To: Theo de Raadt <deraadt@theos.com> Cc: nate@mt.sri.com, terry@lambert.org, dg@root.com, darrend@novell.com, chat@freebsd.org Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply Message-ID: <199609042116.PAA02488@rocky.mt.sri.com> In-Reply-To: <9609042100.AA12246@theos.com> References: <9609042100.AA12246@theos.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> 2) Nate, you are essentially behind a firewall:
Darn right. And, you aren't connecting to my box, but SRI-Menlo Park.
I don't live in Menlo Park, but in Montana. :)
> [cvs net 124 ]# telnet !$
> telnet sneezy.sri.com
> Trying 128.18.40.6...
> Connected to sneezy.sri.com.
> Escape character is '^]'.
> Connection closed by foreign host.
> [cvs net 125 ]# rpcinfo -p !$
> rpcinfo -p sneezy.sri.com
> ^C (timed out)
> [cvs net 126 ]# showmount -e !$
> showmount -e sneezy.sri.com
> ^C (timed out)
>
> Now why would I want to go releasing bugs that are in my system?
> Perhaps I should go releasing bugs that are in YOUR system.
I'd prefer knowing about everyone knowing about the bugs in my system
vs. me not knowing and some others knowing (possibly hackers). Full
disclosure of the bugs is *ALWAYS* better than partial disclosure, ie; I
know something you don't know.
> Ok, I know a bug in your system. Judging by the version, your
> sendmail has at least one exploitable remote root hole. Shall I
> continue?
Sure, go ahead. You don't know my system, and you assume too much.
> We gain nothing from telling the world what these holes are.
You gain the ability to 'prove' that your system is more secure by
statements other than "it's more secure". When Marcus Ranum (formerly
of TFS) states his system is secure, I believe him because of his track
record. You don't have one positive or negative since OpenBSD has
virtually no track record. We have to trust that what you're saying is
true, and trust is something that is earned, not implicitly given. You
haven't earned my trust.
> Not that
> you guys ever really asked nicely, or made it easy for me to help.
> Hmm.. not saying I would, either. I'm very busy. We are preparing for
> a release.
All *anyone* has asked (in Usenet and other forms) is that you disclose
the security problems. You (and others) took the time to find them, and
check to see if they existed in other OS's. That's more work than
simply doing:
$ mail -s "RDIST is full of holes, check out OpenBSD sources" \
security@FreeBSD.org
> Damn rights. "John, can you write us up a set of detailed
> instructions for how to drop your VM system into our kernel?"
> I think John has better things to do; so do I.
Integrating the VM is alot more difficult than sending an email message
stating that the VM system is buggy.
> Early along our quest for greater security (which was spawned by an
> attack on my machine by someone who modified a file only the NetBSD
> people would have wanted modified) I did report a security problem to
> the FreeBSD security maintainer, about a hole to look at, I did not
> get a reply.
Stuff happens, does that mean condemning the process from that point on?
> Meanwhile, while merging the FreeBSD userland changes into OpenBSD I
> found 4 security fixes that I had not heard of before. At least one
> of those was done while OpenBSD was already making waves in the
> security community. We did not get mail about it. FreeBSD can expect
> the same.
Paul Traina has only recently taken on the organization of the security
of FreBSD. Our previous security dude went
Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609042116.PAA02488>