Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!news.mathworks.com!worldnet.att.net!ix.netcom.com!news.enteract.com!tqbf From: tqbf@char-star.rdist.org (Thomas H. Ptacek) Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix Subject: Re: OpenBSD hides security fixes (and blindly integrates code) Date: 16 Feb 1997 08:16:44 GMT Organization: EnterAct, L.L.C. Lines: 59 Message-ID: <slrn5gdgk7.cne.tqbf@char-star.rdist.org> References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15155022@zeus.pacifier.com> <5e5vkb$d89@panix2.panix.com> <DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net> Reply-To: tqbf@enteract.com NNTP-Posting-Host: char-star.rdist.org X-Newsreader: slrn (0.9.1.1 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5390 comp.security.unix:31778 16 Feb 1997 06:37:20 GMT thorpej@baygate.bayarea.net: >Firstly, it is not the NetBSD Project's job to make it easy for >you to integrate code. Nor is it ethical of them to intentionally complicate the integration. Mr. de Raadt isn't asking the NetBSD project developers to personally merge the code into OpenBSD. I am a bit shocked that the NetBSD project would intentionally manipulate their sources to make it harder for other projects to merge changes. Some of the users of OpenBSD and NetBSD don't care for the politics involved between the two teams. Yet, by and large, those users are going to pay for these pranks just as badly as the direct participants of these arguments will. If Theo de Raadt inserted preprocessor directives to intentionally turn off security fixes #ifdef __NetBSD__, the community would be up in arms. When someone does that to him, it becomes an opportunity to mock the OpenBSD project in public. Are you aware of the amount of work OpenBSD developers (not just Mr. de Raadt, but also many, many people who don't care to squabble with *BSD developers everyday) put in to auditting the code? You seem quite happy to discount their work, which has been made available to the public at the contributors' expense. >Secondly, the OpenBSD project does not exactly go out of their way to >make it easy for others to integrate the "security" fixes. One such The OpenBSD project doesn't seem to believe in detailed CVS logs. So what? The mechanisms by which OpenBSD developers internally document changes are relevant only to the OpenBSD developers. OpenBSD developers do not go out of their way to make their (obvious) security fixes inaccessible to other projects. The FreeBSD project, along with (I can only assume) the NetBSD project, tracks quite successfully the progress of OpenBSD. FreeBSD in particular has several developers combing the OpenBSD sources for changes, none of whom have complained publically that OpenBSD is trying to make life harder for them. >example is OpenBSD's src/usr.bin/rsh/rsh.c, where an apparent security >fix was committed in a revision containing the following log message: How is this at all germane? What you've just copied into the newsgroup seems to me like a perfectly normal CVS change, albeit poorly documented. Is Mr. de Raadt somehow obligated to formally document proactive security-relevant changes to every other OS project in the world? The change you're citing was not a response to a discovered vulnerability in rcmd(). >has to wonder _why_ this was done, given that the code path just >does and exec's rlogin, which it setuid-root anyhow...) If you have to ask... -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));