[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSH: What went wrong?
In some mail from email@example.com, sie said:
> > So what are you doing to prevent this sort of thing from reoccuring ?
> Nothing, Darren. We're gonna sit here on our hands. I mean,
> the remote vulnerability record is gone. Why should we bother anymore?
That's not what I was looking for and that's not what lots of other
people are looking to hear either. I'm not particularly interested
in sarcasm either - the humour of it is not appreciated at this point
This question was about openssh - ok, so it's on an openbsd list.
There have been lots of shouting and so forth in the past about how
OpenSSH/BSD is auditted and how the team of coders is so security
conscious, etc, but then something like this happens.
What I was really looking for was some sort of statement saying that
all new code would be checked more closely, not some cop-out about
how this was a new kind of problem or anything else.
What I expect is to hear about how the process of getting (new) code
into OpenSSH becomes tougher and must be reviewed by at least 1 other
person before being committed and then maybe another after commit.
Ok, the software might be for free and it might be a case of you get
what you pay for, BUT, you are "selling" it with a lot of hype and
building a lot of expectation in the user community. Does anyone
actually plan to deliver on that or is just lies, like those you get
from a politican in a lead-up to an election ?
Lots of people's security depends on this (openssh) so it's important
for me and a lot of others that someone gets it right.
> > I don't particularly like the idea that this is a "new type of overflow".
> Yeah. And I was sort of annoyed when format string vulnerabilities
> came on the scene. What is your point?
A proper code audit would have picked it up.
> > What that says to me is that you aren't really auditting software
> > properly if these kinds of things have slipped through previous audits.
> And you aren't auditing software at all.
What makes you say that?