[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSH: What went wrong?
> In some mail from email@example.com, sie said:
> > > So what are you doing to prevent this sort of thing from reoccuring ?
> > Nothing, Darren. We're gonna sit here on our hands. I mean,
> > the remote vulnerability record is gone. Why should we bother anymore?
> That's not what I was looking for and that's not what lots of other
> people are looking to hear either. I'm not particularly interested
> in sarcasm either - the humour of it is not appreciated at this point
> in time.
> This question was about openssh - ok, so it's on an openbsd list.
> There have been lots of shouting and so forth in the past about how
> OpenSSH/BSD is auditted and how the team of coders is so security
> conscious, etc, but then something like this happens.
Yes, and it happens everywhere else a whole hell of a lot more, so what
is your point?
> What I was really looking for was some sort of statement saying that
> all new code would be checked more closely, not some cop-out about
> how this was a new kind of problem or anything else.
And where is your help?
> What I expect is to hear about how the process of getting (new) code
> into OpenSSH becomes tougher and must be reviewed by at least 1 other
> person before being committed and then maybe another after commit.
We've been doing that for 6 years. What is your point, and where is
> Ok, the software might be for free and it might be a case of you get
> what you pay for, BUT, you are "selling" it with a lot of hype and
> building a lot of expectation in the user community. Does anyone
> actually plan to deliver on that or is just lies, like those you get
> from a politican in a lead-up to an election ?
And where is your assistance?
> Lots of people's security depends on this (openssh) so it's important
> for me and a lot of others that someone gets it right.
And if that is the case, why is it that there are ZERO PATCHES in this
code from you? Not one. Not stinking ONE patch in this code from
> > > I don't particularly like the idea that this is a "new type of overflow".
> > Yeah. And I was sort of annoyed when format string vulnerabilities
> > came on the scene. What is your point?
> A proper code audit would have picked it up.
Yes, which is why we first became aware of it through YOU, because you were
helping with a proper audit? No. We became aware of it from OTHER people
> > > What that says to me is that you aren't really auditting software
> > > properly if these kinds of things have slipped through previous audits.
> > And you aren't auditing software at all.
> What makes you say that?
Pot, Kettle, Black.