Dag-Erling Sm?rgrav wrote:> Dirk Engling <erdgeist at erdgeist.org> writes:
>> have those findings officially been reported? Is someone working on
>> them?
> Speaking as a secteam member but not on behalf of so@, we are aware of
> these issues but did not get sufficient advance notice to fix them in
> time for DefCon.
>
> DES
After reading the presentation a few minutes ago... I'm going to say the
obvious....
He has a point.
.. now to add something more helpful .. :)
People should talk between, and maybe people should put security and
co-operation before pride and empires... before us vs them... and I know
that means its not just FreeBSD, but also NetBSD and OpenBSD people who
have historically had their differences... perhaps now is the time for
an olive branch? (and there is a massive 'us vs them' on IRC when it
comes to OpenBSD and FreeBSD.)
From a personal point of mine and on my observations I would add that
Microsoft et al all went through similar issues that everyone is seeing
today.. everyone wants new features, everyone wants new drivers,
everyone thinks they want new releases perhaps a shift is needed in
thoughts/actions when it comes to FreeBSD.... this constant push forward
leaves bugs which often become security issues in old code.. 2 of the
highlighted bugs in the presentation were introduced in 8.1... In the
past I opened filesystem bugs against 9.x (think it was 9.2 then 9.3 for
one of the bugs)... however it was never fixed (and the one I am
thinking of is "panicable" one)... in fact I predicted that what would
happen would be the bug would be looked at just after 9.x was EOLd
completely... and it was hilarious.. 6th Jan (IIRC) the message came
through, "please replicate on a supported version" ... I haven't
and I
haven't submitted a single bug since.... and why would I?
Perhaps we should consider a change in how we manage these things, and
sorry if this message p**ses off anyone (particularly those in the
Security Team) because I know you all do good work, however the whole
"well you should pay for our time" argument compounds the problem, it
won't get any more funds in most cases, it will just p**s people off
elsewhere so you end up with less eyes looking for these issues.... this
is one of the things linux has gotten right.. fix bugs no matter what
and regardless, new features... different matter that's on a whim of a
coder.
I hope this will start a constructive conversation rather than people
ignoring or worse arguing.
Regards,
--
Michelle Sullivan
http://www.mhix.org/