[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH: What went wrong?

To: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: OpenSSH: What went wrong?
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Date: Fri, 28 Jun 2002 22:55:07 -0600
Cc: misc@openbsd.org

>      I think you (and perhaps others) are mistaken about what I'm
> expecting here.  When something in the Government fucks up, they
> investigate and announce that something will be changed to try and
> make sure it doesn't happen again.  I don't expect there to be any
> "invetigation", but I was kind of hoping that someone would come
> out and say "we're going to do this differently from now on so we
> catch more things before they hurt the public."  It sounds to me
> like you're saying nothing is going to change in the way the audit
> process is applied or in how code goes from idea to integrated for
> public use.

Absolutely nothing is going to change.

I spend more than 8 hours of every single day of my life auditing code
(and over the last week, 16+ hours a day), and here is some gay guy
from Australia who spent all of Usenix in San Antonio years ago moping
with droopy eyes after a very straight and girlfriended Mudge is not
going to tell me that I am not doing enough, when Mudge and Casper and
I and others were spending our time drinking beer and discussing
classes of bugs in code (select(2) fd_set overflows, etc).  I remember
you very clearly as one of the most _useless_ people at the
conference.  Not one original idea came out of your head.  You
couldn't even grasp what we were talking about, since you were
watching Mudge.  ISS people knew more about security.

And since then, not much has changed.  You just maintain legacy
support of one small component that an increasing number of operating
systems are replacing with their own.  You have no great skills of
comprehension when it comes to the larger model of things.  Unix is
too complicated for you to grasp, and you keep making suggestions that
show a lack of experience.  Just look at any part of ipf for weak
coding, and it stands out.  The userland commands especially show an
utter lack of polish.

And when you yammer about bugs in other projects' code, you never
supply any diffs.

We know you quite well.  In 8 years, the way you interact with this
community has not changed at all.

>      Now, had I large amounts of spare time that weren't doing
> other things, maybe I'd feel inclined to audit OpenSSH, but from
> what I've seen, the code is not very auditable.

You won't audit it because you cannot audit it!  You have no skills!

I challenge anyone to show us what Darren has done besides yell.

I've looked through our ChangeLogs, and there's nothing in there from
Darren, except for his old ipf stuff, which we removed with glee.
Even in FreeBSD and NetBSD, he never ventures into other parts of the
system.

> There are large
> chunks of it without any comments about what anything does.  Yes,

Right.  So is ipf.

> I know my code in the past has been no better but I've set a
> direction for at least myself to follow to ensure that isn't the
> case for the future.

Your code is 15 year old crap, maintained in a minimalistic fashion,
because you waste all your time on mailing lists trying to goad other
people into doing less work, so that your ineffectually will not look
as bad as it is.

You just say you're going to make it better.  We've given you a
target: pf in -current is quite a bit faster than ipf in research done
by two papers.  Where's the diffs to make ipf catch up?

> It might take me some time to get there, but
> by the end the goal is for each section of code to have a clear
> purpose and be auditable against that purpose.  As a quick example
> of my problem, ssh.c:ssh_session().  What is it meant to do?  What
> does it do?  Does it do what's intended?  How do you tell?  Is it
> allowed to return 0xa5a5a5a5?  Others have minimal comments which
> say very little and do nothing to make the task of auditting easier.

Where the diffs? Where the diffs? Where the diffs?

Our gift culture works on an economy of source code changes.

It does not operate on yelling and moaning and billegerant yammering
from some inneffectual boy who does not fit into the community.

>      I guess what I'm looking for is some amount of pompous words
> like those from Bill Gates about how there was a feature-freeze and
> everyone there was going into bug-fix mode.  His Bill-ness might be
> full of hot air at times like this and people might say it isn't
> achieving anything or laugh at him, but you can't say he's not
> responding and doing nothing about it.

Yeah, we're looking for more than pompous words too.  Where's the damn
diffs?

>      Whilst I might not have time to contribute anything in terms
> of auditting or writing code,

Again:  It is not the the lack of time -- it is your lack of skill.

> I was kind of hoping that maybe I
> would have some ideas worth considering.

yammer yammer yammer.

We don't waste our time talking about ideas of process.  We sit down
and get to work.

> That they're rejected off
> hand with taunts indicates to me that any assistance from me to the
> OpenSSH project in terms of code audits would not be well received.

We are not rejecting any diffs, because there ARE NO DIFFS FROM YOU!

> Nor do I think helping a process which is broken achieves anything.
> Even if I auditted all the code overnight, sent you a 10MB set of
> diffs, that would not solve what I perceive to be the real problems,
> because I get the feeling I would need to do it again, at some future
> point in time.  What can I do to help fix *that* problem ?  What can
> anyone do that's not in the OpenSSH development team ?  If it was a
> journalist (or someone else with no coding experience) asking you the
> same questions that I have, would you respond in the same way ?
> 
>      One thing I don't see in OpenSSH, which wasn't in OpenBSD either
> for a long time, is the idea of "release branches".  I understand that
> these can be a lot of work to maintain but maybe it is worth considering
> so people can opt to use a version that ages only with patches rather
> than new features as well.

Talk, talk, talk.

> p.s. I'm not trying to tell you what to do, just offer you ideas on how
> you might do things differently in the future which you are free to reject
> ignore or take up.  I think I'll agree to disagree with you on how well
> the current environment/mechanisms work.

I understand you very clearly Darren.  You are just sticking to your
character of hate.  You are an ineffectual boy, and to try to gain
meaning in your life, you say things, but carelessly, and since you
keep repeating them, you have become well known as a kook.  I don't
know how to help you.

ps. apologies to any of you who are gay; i am not saying anything about
    you.  the story was simply to illustrate that when Darren came to
    a pure meeting of his intellectual peers, he completely failed to
    participate within the scope of such a meeting.  He is ineffectual. 

pps. Thanks for being a foil.  It is so easy to make me look clever...

Follow-Ups:
- Re: OpenSSH: What went wrong?
  - From: "S9" <km@themcminns.com>
- Re: OpenSSH: What went wrong?
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- Re: OpenSSH: What went wrong?
  - From: Darren Reed <avalon@coombs.anu.edu.au>

Prev by Date: Re: OpenSSH: What went wrong?
Next by Date: Re: OpenSSH: What went wrong?
Prev by thread: Re: OpenSSH: What went wrong?
Next by thread: Re: OpenSSH: What went wrong?
Index(es):
- Date
- Thread