Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Jun 2002 22:29:27 -0500
From:      Sean Kelly <smkelly@zombie.org>
To:        Theo de Raadt <deraadt@cvs.openbsd.org>
Cc:        Ted Cabeen <secabeen@pobox.com>, "Jacques A. Vidrine" <nectar@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: Hogwash
Message-ID:  <20020625032927.GA6579@edgemaster.zombie.org>
In-Reply-To: <200206250203.g5P238LJ002003@cvs.openbsd.org>
References:  <87sn3c6rte.fsf@gray.impulse.net> <200206250203.g5P238LJ002003@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote:
> I'm not giving away any hints.  Assume the worst and do the upgrade,
> and if you dislike the way I handled this, don't buy me that beer
> later.

I'm just curious when this OpenBSD policy change took effect.  According to
http://www.openbsd.org/security.html#disclosure:

     Full Disclosure
          Like many readers of the BUGTRAQ mailing list, we believe in
          full disclosure of security problems. In the operating system
          arena, we were probably the first to embrace the concept. Many
          vendors, even of free software, still try to hide issues from
          their users.

          Security information moves very fast in cracker circles. On the
          other hand, our experience is that coding and releasing of
          proper security fixes typically requires about an hour of work
          -- very fast fix turnaround is possible. Thus we think that
          full disclosure helps the people who really care about
          security.

Not all of us are in the position to use cutting edge OpenSSH-portable
versions. By you holding back this information, you are only hurting those
who *CAN'T* upgrade to your latest and greatest. Has there actually been
enough testing of privsep to say that it contains no bugs? It seems to me
that we'd all be better off if you just released a diff and let us all fix
our own wounds.

-- 
Sean Kelly         | PGP KeyID: 77042C7B
smkelly@zombie.org | http://www.zombie.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625032927.GA6579>