Re: Locally exploitable races? OpenBSD

["Steve Murphree" <smurph@smcomp.com>]

O.K.   I usually don't speak these matters, as I really find it useless most
of the time.  But I would like to make a point that seems to have gone
unnoticed.  I think other developers might agree, but I can't speak for
them.  This is my opinion:

Time.  It takes time to attend to issues.  Not just this one issue, but all
issues.  I think the acronym ASAP has been taken out of context.  Does it
really mean NOW, or As Soon As Possible?

We are all busy people.  It's not that we are ignoring anything, we are
prioritizing.  I'm absolutely positive that everybody in this world has to
do this to some extent.

Here is what would help:  A diff.  A plain simple diff.  We love them.  We
don't often get them.  It would have been nice if the original author of the
bugtraq provided a diff.  But that is up to him and we certainly don't
demand it of him.  He did propose to help fix the problem and that is great.
It's wonderful when people want to get involved.  But you really don't even
have to propose to fix something.  Just send a diff.  It will get looked at
far quicker and possibly leading to a resolution ASAP.

Please understand that most of the developers also have other jobs/school
and possibly families to attend to.  Would we like to devote all of our time
to OpenBSD?  You bet!  But most of the time it is not possible.

Finally, I would like to take this time to thank all of the people who have
sent diffs and who do contribute to OpenBSD.  Thanks for the support.  We
appreciate it.

Sincerely,
Steve

----- Original Message -----
From: "Zvezdelin" <zvezdi@freenet.nether.net>
To: "Todd C. Miller" <Todd.Miller@courtesan.com>
Cc: <tech@openbsd.org>
Sent: Wednesday, June 06, 2001 04:35 PM
Subject: Re: Locally exploitable races? OpenBSD


> On Tue, 5 Jun 2001, Todd C. Miller wrote:
>
> > What he's talking about is completely irrelevant because it requires
> > things use rfork() and nothing in the system does...
> >
> > Should the races get fixed?  Yes.
> > Is it a real problem?  Nope.
> > Should developers respond to obvious flame bait?  No again.
> >
> >  - todd
> >
> I want to share my thoughts on the above with you...
> and please dont take it as flames, cause they arent
>
> Now, I thought of OpenBSD and its developers as people who
> care for security and satbility more than anything else,
> well not exactly. It looks like fixing security related and stability
> related is les important in the priority list than say www site and
> docs.....
>
> Now, if you read the message carefully you'll see that the person has
> infomed Theo couple of weeks ago and has offered assistance. Looks
> to me [and it is beeing presented] as that Theo didn't react at all,
> and now the same thing: no reaction at all.
>
> So, OpenBSD is on the first line on the Bugtraq to say "we arent vuln to
> this" , this problem is fixed couple of months ago etc., and when it goes
> to addmiting problems in the OpenBSD, it is not exactly the same?
> Yeah, I know, there have been times where it had been different,
> but ...
>
> And 1 more thing, dont say that because this software is free,
> you the people who take care of it, present it the way it is
> and you're responsible for anything. Yes, tecnically you are not,
> by Law too, but don't forget that some things are into your mind,
> and you can't make it shut up when you knew about a problem and did not
> had the courage or honesty to admit it and fixed it ASAP.
>
> You cant be very strict on one thing [like ipfliter] and be sloppy on
> others. You are either strict or sloppy, not anything between.
>
> Sorry,
> but that is what I think on this subject, and maybe it didn't worthed
> saying it, but at least I tried.
>
> With all the respect to you and your Job -- OpenBSD,
> Zvezdelin