*BSD News Article 88920


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!goanna.cs.rmit.edu.au!news.apana.org.au!cantor.edge.net.au!news.mira.net.au!inquo!nntp.uio.no!newsfeeds.sol.net!feed1.news.erols.com!news.enteract.com!tqbf
From: tqbf@char-star.rdist.org (Thomas H. Ptacek)
Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc
Subject: Re: Linux vs BSD
Date: 10 Feb 1997 23:48:46 GMT
Organization: EnterAct, L.L.C.
Lines: 65
Message-ID: <slrn5fvd0r.ck7.tqbf@char-star.rdist.org>
References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> 	<5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> 	<5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org>
Reply-To: tqbf@enteract.com
NNTP-Posting-Host: char-star.rdist.org
X-Newsreader: slrn (0.9.1.1 BETA UNIX)
Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83421 comp.unix.bsd.misc:2452 comp.os.linux.misc:157657

Fri, 07 Feb 1997 10:11:58 -0500 dyson@freebsd.org:
>Yep, we only found out about it a few days ago, and now Tom is one
>of our committers.  It is probably very good to have a competent
>ISP represented on the committers list.  I have personally been
>in contact with another, very security consious ISP, and hope

Just a clarification, Mr. Dyson:

I have CVS commit access based on a conversation I had with Mr. Greenman
regarding the most efficient method for me to resolve security problems in
FreeBSD. This discussion followed from a criticism by me of the general
lack of attention that problem-reports seem to receive from FreeBSD, Inc. 

While I am happy that Mr. Greenman and the FreeBSD Project are flexible
and understanding enough to give troubleshooters the access required to
fix the problems they find, the core issues that led to my limited
involvement with FreeBSD have not yet been resolved. 

I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming
with security issues that come to their attention. Representatives of
FreeBSD, Inc. have explicitly stated, in public, that notifying their
users of security issues discovered by FreeBSD proponents (as opposed to
security issues discovered by criminals) amounts to "airing their dirty
laundry". Evidently, FreeBSD, Inc. would like their thousands of users to
learn about security problems by being broken into. 

While I understand and respect FreeBSD, Inc.'s desire to engineer the
"correct" fix to problems before going "public" with them, I feel that
open, full disclosure is a far more important immediate objective than
perfect patches. Often, security issues can be resolved immediately,
without program modification, with "chmod 0000". 

Of course, FreeBSD and I have two very different perspectives on this
situation. FreeBSD, Inc. operates from the perspective of experienced
operating system developers. My attitudes are generated from an intimate
familiarity with the workings of the computer underground. Unlike the
FreeBSD Project, I work under the assumption that any security problem
found in FreeBSD's code has been discovered previously by someone else
with the ability and willingness to exploit it. Therefore, from my
perspective, there's no point in not fully disclosing issues as their
existance becomes apparent. 

Finally, with regards to my involvement with the FreeBSD project, I'd like
to say for the record that I do not consider myself "officially involved
with" FreeBSD, and would imagine that the FreeBSD project feels likewise
about me. I do not speak to FreeBSD developers as a "representative" to or
from the security or ISP communities. With regards to the introduction of
security fixes into the FreeBSD operating system, I'd like to make it
clear that, in most cases, I'm taking my cues from the OpenBSD project,
who, I feel, have put far more effort into securing 4.4BSD than FreeBSD.

It seems to be that FreeBSD's apperant hesitation to deal directly with
OpenBSD and OpenBSD's fixes does a disservice to their users. I would like
to understand the source of tension between the two projects, and think
that a dialogue between OpenBSD and FreeBSD developers would do a world of
good for many, many organizations running FreeBSD code.

Thanks for taking the time to read this.

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));