From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 01:46:39 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E6E7CE4B for ; Sun, 20 Apr 2014 01:46:39 +0000 (UTC) Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C051179D for ; Sun, 20 Apr 2014 01:46:39 +0000 (UTC) Received: by mail-lb0-f169.google.com with SMTP id q8so2382319lbi.28 for ; Sat, 19 Apr 2014 18:46:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:in-reply-to:references:comments:mime-version :content-type:content-id:date:message-id; bh=7gDXrVDv4FnMpx3p8p7DJv8/6Ay6Px2xFCxrbAYB604=; b=JjnVoO2z0fUB/fpI/8IU198gRTO1TcvX7Vk7N+zJkS8wb864EZ1fAmYk6J3CaUuJxQ EZTj282WrkRxt5Yk0+0qp8RpQKTbTclWcvDPzqIoOIouJ0m9IoyRBQhIBmW6fC1Oxvlq Y2nJ+fup2vVTiLwyrxBz6spr2yP+/j6+7FU/fkC9vq+2BOEbnwqWaq+7UGf2PNk29q3F bUaSEj3MG2SZ22w/2wdBsWMftbVBy7/9EOjZtbVgoaYsdx845Zk88BBGL1vu5wGywVgA xDs7cVzvfLh+y7DNNAcm7dNLLiPAzmvXj6lMYQDV0kJe6FUAJyCc3p28rEHhngwBg6ZN cdeA== X-Received: by 10.112.150.233 with SMTP id ul9mr17104622lbb.2.1397958396981; Sat, 19 Apr 2014 18:46:36 -0700 (PDT) Received: from edge ([91.123.18.167]) by mx.google.com with ESMTPSA id r5sm32456962lbb.7.2014.04.19.18.46.35 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 18:46:36 -0700 (PDT) Received: from misha (uid 1001) (envelope-from misha@edge) id ab7281 by edge (DragonFly Mail Agent v0.9); Sun, 20 Apr 2014 05:46:34 +0400 From: Mikhail To: freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? In-reply-to: <53522186.9030207@FreeBSD.org> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> Comments: In-reply-to Bryan Drewery message dated "Sat, 19 Apr 2014 02:11:02 -0500." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <42950.1397958394.1@edge> Date: Sun, 20 Apr 2014 05:46:34 +0400 Message-Id: <535326fa.ab7281.696ea278@edge> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 01:46:40 -0000 >On 4/14/2014 7:32 AM, Jamie Landeg-Jones wrote: >> Matt Dawson wrote: >> >>> My first thought when I saw this was "ego over ethics," which says more >>> about Theo than FreeBSD. >> >> Totally. >> >> I know Theo has a reputation for being 'difficult', but in my opinion, >> this outburst really calls into question his perceived motivations >> regarding secure software. >> >> As to the specific question, I don't think his ego would allow a bug >> in openssh to persist, so even if it does, I'd suspect it's not too >> serious (or it's non-trivial to exploit), and it's related to FreeBSD >> produced 'glue'. >> >> This is total guesswork on my part, but I'd therefore assume he was >> talkining about openssh in base, rarther than openssh-portable in >> ports. >> > >As the maintainer of the port I will say that your security decreases >with each OPTION/patch you apply. I really would not be surprised if one >of the optional patches available in the port had issues. I believe that Theo just browbeat. Reasons? It was looooong ago, I think very few still remember, but Theo definitely does: http://lists.freebsd.org/pipermail/freebsd-security/2005-March/002719.html