From owner-freebsd-security Mon Feb 3 06:33:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA00747 for security-outgoing; Mon, 3 Feb 1997 06:33:21 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id GAA00739 for ; Mon, 3 Feb 1997 06:33:19 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrPRQ-0003yFC; Mon, 3 Feb 97 06:32 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id PAA03012; Mon, 3 Feb 1997 15:32:14 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id PAA01099; Mon, 3 Feb 1997 15:33:50 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 07:42:18 CST." <199702031343.HAA29502@enteract.com> Date: Mon, 03 Feb 1997 15:33:50 +0100 Message-ID: <1097.854980430@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031343.HAA29502@enteract.com>, "Thomas H. Ptacek" writes: >This thread really isn't going anywhere. My concrete suggestion is that >you release security announcements as soon as you become aware of a >security problem with your code, whether you found it or someone else did. > >If there's something I can do to help ensure that this happens, let me >know. Send us patches and give us a fair amount of time before you yell it out to the wind. >> This is unfortunately a lot easier said than done. If you want to spear >> head this effort, please say so, we can always use more manpower. > >Heh. If you can point me to all the announcements you've made in the past >year, I can fill you in on everything else I know about or have reported, >and I can type them up in the format of your previous announcements. You >can then feel free to distribute them as you wish. Thanks for the offer, please contact pst@freebsd.org for how you can help out here. >> How about this: If you find a hole, you send us a patch, and if we >> do not fix it within a particular period (two weeks ?) you can post it >> to the world ? > >Two weeks? Two weeks. Most of the problems don't have one line fixes. >You think a vulnerability window of (at least) two weeks is acceptable? yes. >could get themselves patched. That's me, though. What would require a two >week delay? Anything the obvious patch would break would be worth breaking >to maintain security; you can release an "official, effective" patch later >on and treat the initial one as a workaround. Time to find the right fix. Time to roll a snapshot if need be. Notice I didn't say it would always take two weeks, but that we'd like to have time to not rush out the wrong non-solution. >You obviously don't expect all your users to run -current (in fact, I >get the impression that you discourage it for non-developers). You >obviously want your users to be running secure versions of your OS. The >only way to do this is to provide them with security information as it >becomes available. > >Where do we disagree on this? In that many systems cannot "just upgrade" any and all times. I may have more experience in the operational aspects of computers than you have. What we need is manpower who are interested and dedicated in their effort to >help< the users, rather than rip the carpet out under them. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.