Date: Mon, 03 Feb 1997 15:33:50 +0100 From: Poul-Henning Kamp <phk@critter.dk.tfs.com> To: tqbf@enteract.com Cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 Message-ID: <1097.854980430@critter.dk.tfs.com> In-Reply-To: Your message of "Mon, 03 Feb 1997 07:42:18 CST." <199702031343.HAA29502@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199702031343.HAA29502@enteract.com>, "Thomas H. Ptacek" writes: >This thread really isn't going anywhere. My concrete suggestion is that >you release security announcements as soon as you become aware of a >security problem with your code, whether you found it or someone else did. > >If there's something I can do to help ensure that this happens, let me >know. Send us patches and give us a fair amount of time before you yell it out to the wind. >> This is unfortunately a lot easier said than done. If you want to spear >> head this effort, please say so, we can always use more manpower. > >Heh. If you can point me to all the announcements you've made in the past >year, I can fill you in on everything else I know about or have reported, >and I can type them up in the format of your previous announcements. You >can then feel free to distribute them as you wish. Thanks for the offer, please contact pst@freebsd.org for how you can help out here. >> How about this: If you find a hole, you send us a patch, and if we >> do not fix it within a particular period (two weeks ?) you can post it >> to the world ? > >Two weeks? Two weeks. Most of the problems don't have one line fixes. >You think a vulnerability window of (at least) two weeks is acceptable? yes. >could get themselves patched. That's me, though. What would require a two >week delay? Anything the obvious patch would break would be worth breaking >to maintain security; you can release an "official, effective" patch later >on and treat the initial one as a workaround. Time to find the right fix. Time to roll a snapshot if need be. Notice I didn't say it would always take two weeks, but that we'd like to have time to not rush out the wrong non-solution. >You obviously don't expect all your users to run -current (in fact, I >get the impression that you discourage it for non-developers). You >obviously want your users to be running secure versions of your OS. The >only way to do this is to provide them with security information as it >becomes available. > >Where do we disagree on this? In that many systems cannot "just upgrade" any and all times. I may have more experience in the operational aspects of computers than you have. What we need is manpower who are interested and dedicated in their effort to >help< the users, rather than rip the carpet out under them. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1097.854980430>