Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!nntp.portal.ca!cynic.portal.ca!not-for-mail From: cjs@cynic.portal.ca (Curt Sampson) Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix Subject: Re: OpenBSD hides security fixes (and blindly integrates code) Date: 17 Feb 1997 03:09:15 -0800 Organization: Internet Portal Services, Inc. Lines: 53 Message-ID: <5e9e8r$ak4@cynic.portal.ca> References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net> <slrn5gdgk7.cne.tqbf@char-star.rdist.org> NNTP-Posting-Host: cynic.portal.ca Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5422 comp.security.unix:31835 In article <slrn5gdgk7.cne.tqbf@char-star.rdist.org>, Thomas H. Ptacek <tqbf@enteract.com> wrote: >Nor is it ethical of them to intentionally complicate the integration. No, you're quite right. It was childish to put that #ifdef into the NetBSD source code. And it's been taken out. >If Theo de Raadt inserted preprocessor directives to intentionally turn >off security fixes #ifdef __NetBSD__, the community would be up in arms. No, probably not. It's already the general feeling in the NetBSD community that Theo has an interest in making it difficult for us to move things from OpenBSD back into NetBSD. (I'm not going to argue about whether that perception is actually true or not, however.) >When someone does that to him, it becomes an opportunity to mock the >OpenBSD project in public. Are you aware of the amount of work OpenBSD >developers (not just Mr. de Raadt, but also many, many people who don't >care to squabble with *BSD developers everyday) put in to auditting >the code? Evidently not a lot. That piece of code went into the OpenBSD source tree without being run even once. (Or niklas was quite happy comitting somthing that was obviously completely broken.) Quite possibly it wasn't even compiled. And it sat there for almost three months (from October 30th to January 24th) before anybody noticed that the Alpha port wouldn't even boot anymore. Let's face it: that does not really give one a lot of confidence in the testing that OpenBSD does on committed code. Presumably your testing is a little less perfunctionary for other bits of code (perhaps you run it once before committing). Of course, the other option is that the Alpha port isn't `supported' in the sense that you don't actually check to see if anything on that particular port works. If so, you should specify that on your web page, rather than making it seems as if it is actively worked on. Oh yes, and then Theo outright lied and said it that #ifdef had never been committed. Or we can be charitable and say that Theo doesn't really know what's going into his own source tree, and can't be bothered to use cvs to find out before he makes a public statement about it. Are we supposed to believe him when he says other things are fixed? cjs -- Curt Sampson cjs@portal.ca Info at http://www.portal.ca/ Internet Portal Services, Inc. Through infinite myst, software reverberates Vancouver, BC (604) 257-9400 In code possess'd of invisible folly.