Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!howland.erols.net!worldnet.att.net!arclight.uoregon.edu!super.zippo.com!zdc!szdc!szdc-e!news From: "John S. Dyson" <dyson@freebsd.org> Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: Mon, 10 Feb 1997 20:08:30 -0500 Organization: John S. Dyson's home machine Lines: 89 Message-ID: <32FFC68E.167EB0E7@freebsd.org> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> <slrn5fvd0r.ck7.tqbf@char-star.rdist.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386) Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83846 comp.unix.bsd.misc:2492 comp.os.linux.misc:158316 Thomas H. Ptacek wrote: > > Fri, 07 Feb 1997 10:11:58 -0500 dyson@freebsd.org: > > While I am happy that Mr. Greenman and the FreeBSD Project are flexible > and understanding enough to give troubleshooters the access required to > fix the problems they find, the core issues that led to my limited > involvement with FreeBSD have not yet been resolved. > The fact is that FreeBSD is much faster in responding to problems tha commercial software. You are as welcome to be involved as you wish, since FreeBSD is a cooperative effort. If you use FreeBSD, then it benefits you to help with it. If you don't use FreeBSD, then there are other alternatives. > > I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming > with security issues that come to their attention. Representatives of > FreeBSD, Inc. have explicitly stated, in public, that notifying their > users of security issues discovered by FreeBSD proponents (as opposed to > security issues discovered by criminals) amounts to "airing their dirty > laundry". > I am also a representative of FreeBSD in this specific context, and it is NOT an issue of airing their dirty laundry, but more an issue of alerting lame hackers. Frankly, I do NOT run around in the hacker community, and do NOT know what is known in that shady place. > > Evidently, FreeBSD, Inc. would like their thousands of users to > learn about security problems by being broken into. > Wrong conclusion. > > While I understand and respect FreeBSD, Inc.'s desire to engineer the > "correct" fix to problems before going "public" with them, I feel that > open, full disclosure is a far more important immediate objective than > perfect patches. Often, security issues can be resolved immediately, > without program modification, with "chmod 0000". > So you would do that to your entire tree? That is the problem that we had to deal with. > > Of course, FreeBSD and I have two very different perspectives on this > situation. FreeBSD, Inc. operates from the perspective of experienced > operating system developers. My attitudes are generated from an intimate > familiarity with the workings of the computer underground. Unlike the > FreeBSD Project, I work under the assumption that any security problem > found in FreeBSD's code has been discovered previously by someone else > with the ability and willingness to exploit it. Therefore, from my > perspective, there's no point in not fully disclosing issues as their > existance becomes apparent. > Bingo. Most of us just don't run around in those circles, and find them to be unsavory anyway. I also have very tight ethics rules that I have to follow -- and the hacker community (the bad kind of hackers that is) is not where I want to tread. > > It seems to be that FreeBSD's apperant hesitation to deal directly with > OpenBSD and OpenBSD's fixes does a disservice to their users. I would like > to understand the source of tension between the two projects, and think > that a dialogue between OpenBSD and FreeBSD developers would do a world of > good for many, many organizations running FreeBSD code. > The problem goes both ways, and the history of FreeBSD/NetBSD has been mostly a result of misunderstandings due to differences of emphasis and the very weak communications mechanism that email appears to be. FreeBSD will have the security problems plugged, and hopefully you will help as this is a volunteer effort and continue to make money using FreeBSD as a tool. > > Thanks for taking the time to read this. > Frankly, FreeBSD has responded very quickly, and had the last set of problems fixed in approx 1 wk. We have been trying to open communications with various ISPs in order to find out what help they need, but please don't ask us (especially me) to deal with the unsavory underside of the computer community. There are those that will, but I for one won't. John Dyson dyson@freebsd.org (FreeBSD-core)