From owner-freebsd-security  Tue Jul 21 23:41:28 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA20412
          for freebsd-security-outgoing; Tue, 21 Jul 1998 23:41:28 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA20390
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 23:41:14 -0700 (PDT)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id GAA07551;
	Wed, 22 Jul 1998 06:40:28 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id IAA29093;
	Wed, 22 Jul 1998 08:40:27 +0200 (MET DST)
Message-ID: <19980722084026.45975@follo.net>
Date: Wed, 22 Jul 1998 08:40:26 +0200
From: Eivind Eklund <eivind@yes.no>
To: Alexandre Snarskii <snar@paranoia.ru>, Garance A Drosihn <drosih@rpi.edu>,
        security@FreeBSD.ORG
Subject: Re: Projects to improve security (related to C)
References: <v04011703b1d98657693f@[128.113.24.47]> <27231.900993063@time.cdrom.com> <v04011708b1da888c2e65@[128.113.24.47]> <19980722015030.15881@nevalink.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <19980722015030.15881@nevalink.ru>; from Alexandre Snarskii on Wed, Jul 22, 1998 at 01:50:30AM +0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Jul 22, 1998 at 01:50:30AM +0400, Alexandre Snarskii wrote:
> > > There's only one solution, one which OpenBSD has made significant
> > > marketing points out of, and that's to go through the code and look
> > > for holes resulting from poor programming practices.
> > 
> > Indeed.  I like the fact that they're doing this, and that they are
> > able to make those marketting points out of it.  Could we hire them
> > to audit all the FreeBSD code, and then we would get the marketting
> > points?  :-)

No.  I've investigated this option, and it did not seem at all
feasible at the time.

However, you _could_ hire somebody to merge over all the good changes
from OpenBSD.

> Dont forget, that OpenBSD team dont auditing ports. And they 
> just removed qpopper from his ports collection after the exploit.

Which IMO was the right decision.  This isn't the first time qpopper
has had a serious security hole (though I don't think any of them have
been that widely exposed before), and I don't believe it will be the
last.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message