*BSD News Article 94007


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newshub2.home.com!news.home.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.direct.ca!nntp.portal.ca!cynic.portal.ca!not-for-mail
From: cjs@cynic.portal.ca (Curt Sampson)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 20 Apr 1997 17:06:35 -0700
Organization: Internet Portal Services, Inc.
Lines: 56
Message-ID: <5jeb2b$ata@cynic.portal.ca>
References: <3356E1CC.299E@softway.com.au> <DERAADT.97Apr18181055@zeus.pacifier.com> <5jdgaf$34i@cynic.portal.ca> <DERAADT.97Apr20113509@zeus.pacifier.com>
NNTP-Posting-Host: cynic.portal.ca
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6686 comp.unix.bsd.misc:3023 comp.security.unix:33771


In article <DERAADT.97Apr20113509@zeus.pacifier.com>,
Theo de Raadt <deraadt@theos.com> wrote:

>   As has OpenBSD. Although I notice your FTP server still has no way
>   of doing anonymous uploads that are secure from abuse by warez-traders.
>[stuff about motes in my eyes, etc. deleted]

I am not pointing this out to get into a spitting match; I'm pointing
this out to show that you too have holes that are not closed, Theo.
You regularly insinuate that you have fixed holes that others
haven't, but you never describe the exact holes you fix: you just
say `look at our change logs,' which don't describe the attacks at
all. Without a proper analysis of the attacks, which you refuse to
provide, there's no real evidence that many of the things you have
`fixed' were ever broken.

>And the source routing controls in the kernel appear
>completely insufficient compared to the threat.

A typical insinuation. What exactly does the OpenBSD kernel do with
source routed packets that the NetBSD kernel doesn't, Theo?

>   But heck, let's spend our time making snide comments instead of
>   working to fix security problems and share the information so that
>   the fixes can be as widely distributed as possible.
>
>Yes, Curt, that's exactly what you are doing!!!

Oh, you mean *I* was the one that posted the snide comment in
response to the FreeBSD folks. Sorry for putting your name in the
From: line, Theo.

>I look forward to the day we are able to look at cvs logs for the
>NetBSD source tree!

So do we all. But I think that's been gone over already.

>The fixes are there, and they are shared with the world.

The fixes are not as important as proper descriptions of the problem,
Theo. It's very difficult to work back to the original problem from
your fix, and thus even more difficult to verify that your fix is
correct.

>When we got fixes from other people, we gave credit.

Yeah, it's just when you take entire ports that you don't give
credit, hmm? If you've got the name of the person who wrote your
Alpha port anywhere outside the source code, it's well hidden enough
that I can't find it. And that goes for a lot of other code, too.

cjs
-- 
Curt Sampson    cjs@portal.ca	   Info at http://www.portal.ca/
Internet Portal Services, Inc.	   Through infinite myst, software reverberates
Vancouver, BC  (604) 257-9400	   In code possess'd of invisible folly.