From owner-freebsd-security Mon Feb 3 04:31:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA26595 for security-outgoing; Mon, 3 Feb 1997 04:31:32 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id EAA26586 for ; Mon, 3 Feb 1997 04:31:29 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrNXV-0003wUC; Mon, 3 Feb 97 04:30 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id NAA02386; Mon, 3 Feb 1997 13:30:21 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id NAA00750; Mon, 3 Feb 1997 13:31:54 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 05:37:28 CST." <199702031138.FAA21844@enteract.com> Date: Mon, 03 Feb 1997 13:31:53 +0100 Message-ID: <748.854973113@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031138.FAA21844@enteract.com>, "Thomas H. Ptacek" writes: >I do have a general problem with a lack of announcement from the >FreeBSD team about problems (as they're found), [...] Well, it is to some extent a conflict of interest thing. If I find a problem in some code, which I have not heard about anywhere else, I usually commit it with a rather toned down commit message. There is no reason to provide free munitions to criminals. On the other hand, vulnerabilities that have been announced publically we answer publically with the relevant information. We could of course loudly praise our own genius and tell the world every time we fix a problem, but we would essentially sell all of our users every time we did so. No easy solution I'm afraid. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.