Date: Fri, 23 Jun 2017 11:00:31 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Michelle Sullivan <michelle@sorbs.net> Cc: Peter Jeremy <peter@rulingia.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: The Stack Clash vulnerability Message-ID: <B7E03A51-B133-416E-A523-1739E743B473@FreeBSD.org> In-Reply-To: <fd64b255-6c47-1ac1-b5df-2edbdc02d550@sorbs.net> References: <F9B7242B-ED83-45C5-9196-6FD095AD9497@gvcgroup.com> <CAPyFy2CicxYBZpyy-pHS%2BQ=wTvwhpqi0fOKahEBDqiVe5h084A@mail.gmail.com> <CAPyFy2C4-hKG=hh0=th%2BRDwBzmMUqMqdg4YYZ76WxGS-JLnLBA@mail.gmail.com> <a1c45d20-78f9-e7d7-2f3e-d18c1723c5d5@sorbs.net> <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> <20170622222930.GA36405@server.rulingia.com> <fd64b255-6c47-1ac1-b5df-2edbdc02d550@sorbs.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 23 Jun 2017, at 01:19, Michelle Sullivan <michelle@sorbs.net> = wrote: >=20 > Peter, >=20 > Peter Jeremy wrote: >>=20 >> paying someone to provide whatever level of support you want. With >> respect to your 9.x servers, no-one is saying you must replace the >> hardware, just that the FreeBSD Project will not continue to provide >> you with free support whilst you choose to run 9.x on them. Note = that >>=20 > You mistake me for someone who needs or is asking for support. >=20 > I already have the proposed patch available to me on my servers, I'm = not convinced it solves the issue, merely making it a *lot* more = difficult to exploit, however that was my 'first look' I have a lot more = to understand and think about and there are many more people of higher = intelligence looking at it than me. >=20 > That said, I'm suggesting that given the amount of time this issue has = been around and that it was supposedly fixed many years ago, that one = should consider a special case backport for those that are not capable = of creating their own patches... and before throwing accusations around = you should consider how many times I have ever suggested that a = particular bug gets backported... If you can't be bothered to check, = this is the first since I started using FreeBSD in 2003. Okay, lets cool this thread down. There are no accusations in this = thread, and they are not needed nor welcome either. I am going to make a general note below, this is not something that is = aimed at _you_ personally. My general note is about the policy we maintain to update supported = systems. Once we are ready with the currently supported branches, it = might be =E2=80=9Csimple=E2=80=9D for =E2=80=9Csomeone=E2=80=9D (not the = FreeBSD Security Team) to back port those changes into older -STABLE = branches. I am stating that we not perse will do that. But if someone = has time and effort to support such a change, it will be done. People = like hps@ merge periodically to older branches that are officially no = longer supported. That does not mean that they cannot do that, but that = they have an interest in doing so, which is perfectly fine (ofcourse). So; if the patch is applicable for older branches as well (stable I = mean), someone needs to find a committer that can vouch for it and also = import it into the stable branches. He or She has to understand that it = might cause problems and they need to be investigated by that person in = that case. If someone, who is commercially using our Operating System, has an = urgent need to have this in a -STABLE branch, I am sure that a few bucks = here and there can make it worth someone=E2=80=99s (free) time to = support that. That=E2=80=99s the way it works, we volunteer for this project, and we = do understand that people are using our product and even in a commercial = sense where people make a -lot- of money with =E2=80=9Cour=E2=80=9D = work. That is perfectly fine. But we have to draw a line in what we can = and will support. We also have families, hobby=E2=80=99s, other work = that obviously also costs time and generate our income(s). Even with = that we are happy to work on the project, and thus the =E2=80=9Cproduct=E2= =80=9D that we ship. But there is a line. There is no more hours in a = day then 24. We have to devide that in all those regions we are active = in. That is where the support policy comes in, we accept the fact that = we maintain and support releases and stable branches after we created = them. We do that for a limited amount of time, so that we can have a = good division between new products, and our other activities. So if = someone wants to keep a committer/programmer active while he could have = been playing with his kids, it should be worth his/her while (in = addition to the work he/she already does for the project) and it=E2=80=99s= for the committer to decide whether that is indeed worth the while. = Perhaps a committer is already being payed by someone to do this and he = or she will just do it =E2=80=9Cfor free=E2=80=9D, then everyone = benefits and we have to thank the sponsor for that. So given the above, and now I am responding to your request, I do not = think we should break our tradition. There are many things that are not = fixed in older branches, OpenSSL comes to mind, we simply have to make a = choice in what we can and cannot do, and be open about that. Branches = that are no longer supported, will not get official fixes anymore. A = committer is free to do so, with the note that it -might- cost a few = bucks to get that going. I hope the above is making it a bit more clear on why we have to draw a = line somewhere, and what it might take to get it in the STABLE branches. = It can be done, but you need to find someone who can do that, with = potential consequences. Thanks, Remko >=20 > -- > Michelle Sullivan > http://www.mhix.org/ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIbBAEBCgAGBQJZTNiwAAoJEHE1jtY/d0B5dlEP+Jfa57bjtk9t7JTC3ShsPldB NdXyFJ2jyazSCsS0utlko16KC1c5EPb0vYgEuoUtj+C/WiWub9SeOlKoORIR2NCz ORMuT0CJMLjTVAjPA/VfKICCleJdG7hV9DsDsxdGzA4a7KI3kGIhwiB96TcjoX8Z ZrOIjfle44OeIKPSCS2AoZ+r4r5nBj5J6JEgWJv/S43NT7lokFfCF02US2ZfZEZy W3wSofOxdqmZmQThD8f/Acn95E4R0jA5270/z0g7wesVpzom4ATiFzOLFbJykKUv veNLq9fEBy4Zh8ePObLq9vcRlDgiTSRL9YTEIvHkAvSNApFqP8HDiyYYP9nWMLFy n5NcYledDG5J7sgMf4Ls33piOSfsYQHrcFsobXxlQn2MnJ/d4uTD+tny999PMOgn eibiiGl7vzRv/6xY9xeRACiR702Lyg0s908L8Fc/AmvcrW64KsHcLcQmTUCiku1y OwQmZj8BAf8XbrY4SiWgKGvr+ZkOdavcPdCtFjT+1eYDpiABjTAFzWv1PXjR9tcZ CmqYc9iLOc2o8LR6Pl8uMQd+pEfh17qpnOT7oN0tmb2p0NYn89QoTXkxyLZd9GGx 7jt0RQI1+L5NZmys57jVaEcXsV1jaM/AHajk+Zw0LFKgfsd3cAH8cb3Dvu8VlkLh MKkltEPfK3wSsBcm5FA= =ItKw -----END PGP SIGNATURE----- --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B7E03A51-B133-416E-A523-1739E743B473>