*BSD News Article 89572


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!news.mathworks.com!panix!news.panix.com!not-for-mail
From: tls@panix.com (Thor Lancelot Simon)
Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix
Subject: Re: OpenBSD hides security fixes (and blindly integrates code)
Date: 16 Feb 1997 05:13:11 -0500
Organization: Panix
Lines: 31
Message-ID: <5e6mjn$q3n@panix2.panix.com>
References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net> <DERAADT.97Feb16012623@zeus.pacifier.com>
Reply-To: tls@rek.tjls.com
NNTP-Posting-Host: panix2.panix.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5478 comp.security.unix:31943

In article <DERAADT.97Feb16012623@zeus.pacifier.com>,
Theo de Raadt <deraadt@theos.com> wrote:
>In article <5e69v0$1u4@news.bayarea.net> thorpej@baygate.bayarea.net (Jason R. Thorpe) writes:
>
>   While I don't approve of this hack being done,
>
>I'll bet you don't.

No, he doesn't.  Neither do I.  In fact, we beat this to death internally, and
I don't really think anyone's glad that it happened.  On the other hand, quite
a few people expressed surprise that said #ifndef made it into OpenBSD, since
that pretty clearly indicates that said code was integrated _without anyone
ever even reading it_ -- rather a stunner, for an operating system which
claims to have security as one of its primary goals.

>   it raises the question
>   of whether OpenBSD can rightfully claim to be secure.
>
>Code which fails to boot has little to do with security.

What, as an abstract issue, as divorced from all others?  It may, or it may
not.

Certainly, code which is integrated into an operating system without ever
being examined has a *great deal* to do with security.

-- 
This space not left unintentionally unblank.            tls@rek.tjls.com
$OpenBSD: locore.s,v 1.5 1996/10/30: Blindly integrating source code,
$OpenBSD: locore.s,v 1.7 1997/01/24: so you can lose for 8 weeks.
				     "Sleep tight."