Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!goanna.cs.rmit.edu.au!news.apana.org.au!cantor.edge.net.au!news.mira.net.au!inquo!nntp.uio.no!newsfeeds.sol.net!feed1.news.erols.com!news.enteract.com!tqbf From: tqbf@char-star.rdist.org (Thomas H. Ptacek) Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: 10 Feb 1997 23:48:46 GMT Organization: EnterAct, L.L.C. Lines: 65 Message-ID: <slrn5fvd0r.ck7.tqbf@char-star.rdist.org> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> <5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> Reply-To: tqbf@enteract.com NNTP-Posting-Host: char-star.rdist.org X-Newsreader: slrn (0.9.1.1 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83421 comp.unix.bsd.misc:2452 comp.os.linux.misc:157657 Fri, 07 Feb 1997 10:11:58 -0500 dyson@freebsd.org: >Yep, we only found out about it a few days ago, and now Tom is one >of our committers. It is probably very good to have a competent >ISP represented on the committers list. I have personally been >in contact with another, very security consious ISP, and hope Just a clarification, Mr. Dyson: I have CVS commit access based on a conversation I had with Mr. Greenman regarding the most efficient method for me to resolve security problems in FreeBSD. This discussion followed from a criticism by me of the general lack of attention that problem-reports seem to receive from FreeBSD, Inc. While I am happy that Mr. Greenman and the FreeBSD Project are flexible and understanding enough to give troubleshooters the access required to fix the problems they find, the core issues that led to my limited involvement with FreeBSD have not yet been resolved. I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming with security issues that come to their attention. Representatives of FreeBSD, Inc. have explicitly stated, in public, that notifying their users of security issues discovered by FreeBSD proponents (as opposed to security issues discovered by criminals) amounts to "airing their dirty laundry". Evidently, FreeBSD, Inc. would like their thousands of users to learn about security problems by being broken into. While I understand and respect FreeBSD, Inc.'s desire to engineer the "correct" fix to problems before going "public" with them, I feel that open, full disclosure is a far more important immediate objective than perfect patches. Often, security issues can be resolved immediately, without program modification, with "chmod 0000". Of course, FreeBSD and I have two very different perspectives on this situation. FreeBSD, Inc. operates from the perspective of experienced operating system developers. My attitudes are generated from an intimate familiarity with the workings of the computer underground. Unlike the FreeBSD Project, I work under the assumption that any security problem found in FreeBSD's code has been discovered previously by someone else with the ability and willingness to exploit it. Therefore, from my perspective, there's no point in not fully disclosing issues as their existance becomes apparent. Finally, with regards to my involvement with the FreeBSD project, I'd like to say for the record that I do not consider myself "officially involved with" FreeBSD, and would imagine that the FreeBSD project feels likewise about me. I do not speak to FreeBSD developers as a "representative" to or from the security or ISP communities. With regards to the introduction of security fixes into the FreeBSD operating system, I'd like to make it clear that, in most cases, I'm taking my cues from the OpenBSD project, who, I feel, have put far more effort into securing 4.4BSD than FreeBSD. It seems to be that FreeBSD's apperant hesitation to deal directly with OpenBSD and OpenBSD's fixes does a disservice to their users. I would like to understand the source of tension between the two projects, and think that a dialogue between OpenBSD and FreeBSD developers would do a world of good for many, many organizations running FreeBSD code. Thanks for taking the time to read this. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));