*BSD News Article 72102


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mira.net.au!vic.news.telstra.net!act.news.telstra.net!psgrain!newsfeed.internetmci.com!news.mathworks.com!news.PBI.net!decwrl!pacbell.com!toad.com!news.tetherless.net!news.sigmasoft.com!not-for-mail
From: tholo@gandalf.sigmasoft.com (Thorsten Lockert)
Newsgroups: comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc
Subject: Re: followup from censored port-i386@Netbsd.ORG
Date: 23 Jun 1996 12:34:05 -0700
Organization: SigmaSoft, Th. Lockert
Lines: 152
Message-ID: <4qk67d$h8d@gandalf.sigmasoft.com>
References: <DERAADT.96Jun23070919@zeus.theos.com>
NNTP-Posting-Host: gandalf.sigmasoft.com
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Newsreader: NN version 6.5.0 CURRENT #0
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:3870 comp.unix.bsd.freebsd.misc:22232

In <DERAADT.96Jun23070919@zeus.theos.com> deraadt@theos.com (Theo de Raadt) writes:
>
>This is the tail of a discussion that was happenning on a NetBSD
>mailing list.  The NetBSD core occasionally (silently) censor items on
>their mailing lists.  They permitted a piece of mail to go through
>which flamed me (and hence the OpenBSD group) but have censored my
>reply.  This is certainly not the first time the NetBSD core have
>censored items on their mailing lists.

It is really nice when messages and articles get selectively cencored
like this.  It inspires confidence in the people that provide the
service.  And you can be sure of always hearing both sides of a story.

>The original discussion started out regarding a claim that NetBSD had
>solid security. I replied that OpenBSD had fixed a number of bugs.
>Soon people were flaming me for not telling them about these problems.
>But.. as the article below shows I have every reason to NOT let NetBSD
>people know about these problems.  I don't trust them because they
>regularily LIE to people about things about me and OpenBSD.

There is, of course, also the fact that making such security fixes
public would also allow any and all would-be crackers access to the
information.  The hard-core crackers out there already have the
information, of course, so stopping it from getting to them is a
bit harder.  The wannabes tend to do more damage in the short term
tho.

>Once again..  I will add that in 90% of cases people running only
>PC-boxes have no reason to run anything but FreeBSD -- it is better
>than anything else IF you only have i386 boxes.

Agreed.  As of today, and possibly/probably for the forseeable
future, FreeBSD is the best free BSD implementation for the Intel
platform.  It is also easier to install, which counts for a lot
with many.  And, finally, they have more and better documentation.

>I will NOT put up with the NetBSD core members and their friends lying
>about the reasons for the formation of the OpenBSD project any longer.
>This is all going public now.  I'll answer any and all questions
>people have.

My guess is that this was inevitable with how things has been getting
more and more skewed.  Hopefully this will make some people think a
bit more about what has happened, and perhaps look into the reasons
for themselves instead of just litening to one side of the story.

>To: John Goerzen <jgoerzen@complete.org>
>cc: deraadt@theos.com (Theo de Raadt), port-i386@netbsd.org
>Subject: Re: NetBSD DOSEMU -- questions from a prospective NetBSD user 
>In-reply-to: Your message of "Fri, 21 Jun 1996 20:53:42 CDT."
>             <199606220153.UAA05652@complete.org> 
>Date: Fri, 21 Jun 1996 22:43:04 -0600
>From: Theo de Raadt <deraadt@zeus.theos.com>

Strange...  I never saw this coming through on the NetBSD mailing
list...  I guess it was one of the victims of the cencorship.

>> > Jason Thorpe <thorpej@nas.nasa.gov> wrote:
>> > > On Fri, 21 Jun 1996 03:00:00 -0600 
>> > >  Theo de Raadt <deraadt@theos.com> wrote:
>> > > 
>> > >  > I would say that is an incorrect assesment of the situation, since
>> > >  > I've fixed about 20 security holes in OpenBSD -- a NetBSD derived
>> > >  > system.  I think NetBSD has fixed 1 of those (in a different way).
>> > > 
>> > > Perhaps you could share your findings with us?
>> > 
>> > No, Jason.
>> > 
>> > What do I gain? My machines have those problems solved, as do those of
>> > the other people running OpenBSD.
>
>> Why are you so selfish?  Can't you do it for the sake of the USERS?  Or do
>> only the users of OpenBSD count, and all the others are just "slime"?  I'll
>> tell you this -- your attitude is not at all the type of person I want
>> developing an OS.

I don't see this as being selfish.  If that were the intent there would
probably be controlled access to the CVS tree so that only selected
people could even look at what has been changed or fixed.  As it is,
most of the NetBSD developers has selected to ignore any and all fixes
that has gone into OpenBSD.  Now, this seems to me like they are the
ones to blame, and not the people that is developing OpenBSD.

>I often tell people from the other OS camps about these bugs.  But
>NetBSD does not deserve my help.  Quite often they don't even give
>credit to people when they get fixes.

And I don't think I've seen them report any security problems to the
OpenBSD group either...  If there is to be communication, there should
be two-way communication.

>Why should I help a project that flames OpenBSD developers regularily?
>A few days ago Herb said to one of the OpenBSD developers:
>
>    "And to think I thought you were older than that... I guess Theo
>    has done us all a favor... He's collecting all the assholes in one
>    little pot... run along little man..."

Hm, that is the first time I have been called an "asshole".  I guess
me chosing to go with OpenBSD turned out to be the right thing, since
_some_ of the people in the NetBSD group seems to have this kind of
problems, be they personal or not.

>BTW, because the word assholes appears in here the NetBSD censor
>filter is going to catch this.  Whether the outside world sees this
>reply.. heck I don't know.
>
>What is OpenBSD to do when these kinds of things are a regular
>occurance?

So far nothing has been done.  But it is starting to look like it
is time for this to change.  Not saying anything has not seemed to
do anything to improve relations between NetBSD and OpenBSD developers.

>> > To be even more careful, I commited the fixes to the OpenBSD tree
>> > without describing the security problems in the commit messages.  Many
>> > vendors still ship (new) operating systems with these bugs unfixed.
>> 
>> So, in other words, you are being like Microsoft and are covering up
>> mistakes.  That's not how open software is supposed to be.

Um...  How can this be compared with covering up?  The problems has
been fixed, and anyone can examine the change logs and see exactly what
has been changed.  And the only thing gained by making the change logs
explicitly say that a security hole has been fixed is that cracker
wannabes gets told _exactly_ where a (possible) problem they can
exploit is...  And in some cases how to exploit the problem.

>> And calling the developers of an OS that OpenBSD owes its existance to
>> "pricks" is not exactly good behavior either.  Strikes me as rather
>> hypocritical.
>
>Actually, OpenBSD was created due to some actions by the NetBSD core
>which cannot be described in any other way.  I'm not talking about the
>source code body, I'm talking about how they treated me.  And how they
>have treated other people who are now OpenBSD developers instead.
>
>I want to point out that 3 of 4 founders of NetBSD are not on NetBSD
>core anymore because of the politics.

Not to mention that more than a few NetBSD developers has switched to
OpenBSD.

Thorsten

PS!  In case it was not made clear above, I am one of the OpenBSD
     developers.
-- 
Thorsten Lockert        | postmaster@sigmasoft.com | Universe, n.:
1238B Page Street       | hostmaster@sigmasoft.com |         The problem.
San Francisco, CA 94117 | tholo@sigmasoft.com      |